CVE-2025-9075: 
WordPress vulnerability analysis and mitigation

The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This vulnerability was discovered and disclosed on October 1, 2025. The issue affects multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes within multiple block components. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

This vulnerability makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This could lead to potential data theft, session hijacking, or other malicious actions performed in the context of the victim's browser (NVD).

Users should update to a version newer than 2.3.10 when available. Until then, site administrators should carefully review and limit user roles that have access to create or edit content using the affected Gutenberg blocks (NVD).