CVE-2025-64354: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Gutenberg WordPress plugin, tracked as CVE-2025-64354. The vulnerability affects versions up to and including 21.8.2, discovered and disclosed on October 31, 2025. The issue exists in the Matias Ventura Gutenberg plugin due to insufficient input sanitization and output escaping (Rapid7).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The scoring indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with changed scope and low impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access, session hijacking, or other client-side attacks (Rapid7).