CVE-2025-15021
Stored XSS in Gotham Block Extra Light Plugin Admin Settings
Publication date: 2026-01-14
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kapsule_network | gotham_block_extra_light | to 1.5.0 (inc) |
| kapsule_network | gotham_block_extra_light | 1.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Gotham Block Extra Light WordPress plugin is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize and escape input in the admin settings. This allows authenticated users with administrator-level permissions or higher to inject malicious scripts into pages. These scripts then execute whenever any user accesses the affected pages. This vulnerability specifically affects multi-site WordPress installations or those where the unfiltered_html capability is disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with admin-level access to inject malicious scripts into the website. These scripts can execute in the browsers of users who visit the injected pages, potentially leading to theft of sensitive information, session hijacking, or other malicious actions. Since it is a stored XSS, the malicious code persists on the site and affects all users who access the compromised pages. However, exploitation requires administrator-level permissions and affects only multi-site or restricted unfiltered_html installations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the Gotham Block Extra Light plugin version 1.5.0 or earlier on WordPress multi-site installations where unfiltered_html is disabled. Since the vulnerability involves stored cross-site scripting via admin settings, detection involves reviewing admin-configured settings for suspicious scripts or payloads. There are no specific network commands provided to detect this vulnerability. However, you can inspect the WordPress plugin directory or use WP-CLI commands such as `wp plugin list` to identify the plugin and its version. Additionally, reviewing the admin settings for injected scripts manually or via database queries may help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Gotham Block Extra Light plugin to a version later than 1.5.0 where the vulnerability is fixed. If an upgrade is not immediately possible, restrict administrator-level access to trusted users only, and ensure that unfiltered_html is enabled or carefully monitor and sanitize admin inputs to prevent script injection. Additionally, consider disabling the plugin temporarily on multi-site installations until a patch is applied.