Summary
I recently discovered an authenticated (Contributor+) stored Cross-Site Scripting (XSS) vulnerability in the WordPress B-Blocks plugin that has now been assigned CVE-2025-54708. This security flaw affected all versions up to and including 2.0.5 of the “B Blocks – The ultimate block collection” plugin.
I responsibly disclosed this vulnerability through the Patchstack bug bounty program. The plugin developers responded promptly and released a security patch.
About The “B Blocks” Plugin
B Blocks is a lightweight and flexible Gutenberg plugin that transforms the native block editor into a powerful page builder for WordPress. Designed with performance and usability in mind, B Blocks extends the capabilities of core blocks by adding 30+ custom elements, pre-built Gutenberg templates, and flexible layout options—all without the need for bulky third-party tools.
| Plugin Name | B Blocks – Essential Gutenberg Blocks & Patterns Collection |
| Plugin Slug | b-blocks |
| WP.org Profile | https://wordpress.org/plugins/b-blocks/ |
| Active Installations | 800+ |
| Vulnerable Version | 2.0.5 (Download Here) |
| Patched Version | 2.0.6 (Download Here) |
| CVSS & Severity | Medium (6.5) |
Attack Scenario
Step 01:
As an administrator, install and activate the vulnerable plugin version 2.0.5.
Make sure that the Button block is enabled.
Step 02:
Now login as a contributor level user and create a new post in the Gutenberg editor. Then insert the Button block.
Step 03:
In the Button block settings, under URL input field, enter the following payload. Then click `Submit For Review`.
javascript:alert(1);
The source code of the Button block after entering the URL:
<!-- wp:b-blocks/button {"url":"javascript:alert(1);"} /-->Step 04:
Login as an administrator and preview the post. The payload will execute when you click the button.
Vulnerable Code
The vulnerable code is the react minified front-end code in the file view.js
Path: wp-content/plugins/b-blocks/build/button/view.js
Repo: https://plugins.trac.wordpress.org/browser/b-blocks/tags/2.0.5/build/button/view.js
Patch
Timeline
| Report Submitted To Patchstack | 30 July, 2025 |
| Vendor Contacted | 04 August, 2025 |
| Patch Submitted | 06 August, 2025 |
| Published | 14 August, 2025 |
Conclusion
When processing user input for URL fields, always be careful of XSS payloads like: javascript:alert(1);
PHP Layer Security (Backend): Use WordPress sanitization functions like esc_url_raw() for database storage and esc_url() for output.
Frontend JavaScript Security: Sanitize URLs before rendering using browser APIs like URL() constructor for validation, and implement client-side protocol filtering. Use textContent instead of innerHTML when possible, and if HTML insertion is necessary, employ DOM manipulation methods with proper escaping.
Support
Leave a Reply