CVE Details
Basic Information
| Title | Flex Guten <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via thumbnailHoverEffect Parameter |
|---|---|
| Type | cve |
| Published | 2025-08-06T01:45:12.660Z |
| Modified | 2025-08-06T01:45:12.660Z |
Product Information
| Vendor | dragwp |
|---|---|
| Product | Flex Guten – A Multipurpose Gutenberg Blocks Plugin |
| Version | * |
CVSS Information
| Base Score | 6.4 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
AI Analysis
| AI Description | The Flex Guten WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping in the ‘thumbnailHoverEffect’ parameter. This allows authenticated attackers with Contributor-level access or higher to inject malicious scripts that execute when a user accesses the injected page. |
|---|---|
| AI Severity | Medium |
| AI Vendor | WordPress Community |
| AI Product | Flex Guten – A Multipurpose Gutenberg Blocks Plugin |
| AI Version | 1.2.5 |
Affected Products
- dragwp Flex Guten – A Multipurpose Gutenberg Blocks Plugin *
Additional Information
| CWE List | CWE-79 |
|---|---|
| Source | Wordfence |
Description
The Flex Guten plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘thumbnailHoverEffect’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.