CVE-2025-15021 Overview
CVE-2025-15021 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Gotham Block Extra Light plugin for WordPress. The flaw affects all plugin versions up to and including 1.5.0. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. Authenticated attackers with administrator-level permissions can inject arbitrary JavaScript that executes when users access affected pages. The issue only affects multi-site installations and configurations where unfiltered_html has been disabled.
Critical Impact
Authenticated administrators on multi-site WordPress installations can inject persistent JavaScript payloads that execute in the browser context of any user viewing the affected pages.
Affected Products
- Gotham Block Extra Light plugin for WordPress — versions up to and including 1.5.0
- WordPress multi-site installations using the affected plugin
- WordPress installations with unfiltered_html capability disabled
Discovery Timeline
- 2026-01-14 - CVE-2025-15021 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-15021
Vulnerability Analysis
The Gotham Block Extra Light plugin exposes administrative settings that accept user-supplied input without proper sanitization or escaping. When these stored values render in pages, the browser interprets injected markup as executable script. The vulnerability requires high privileges and high attack complexity, which limits practical exploitation. However, the scope change indicates that injected scripts can affect resources beyond the vulnerable plugin's security context. The EPSS score reflects a low probability of observed exploitation activity.
Root Cause
The plugin fails to apply WordPress sanitization functions such as sanitize_text_field() or wp_kses() on input received through admin settings. Output rendering also omits escaping functions like esc_html(), esc_attr(), or esc_js(). The vulnerable code paths are referenced in the plugin source at lines 463, 470, 495, 500, 504, 519, 564, and 578 of gothamblock.php. Review the WordPress Plugin Code Review for the affected functions.
Attack Vector
An attacker with administrator credentials submits crafted payloads through the plugin's admin settings interface. The payload persists in the WordPress database. When any authenticated or unauthenticated user views a page that renders the injected setting, the script executes in their browser. On multi-site installations, super administrators retain unfiltered_html while subordinate administrators do not, creating the privilege boundary this vulnerability crosses. The same condition applies when site operators explicitly disable unfiltered_html through configuration.
No verified public proof-of-concept code is available. See the Wordfence Vulnerability Analysis for additional technical context.
Detection Methods for CVE-2025-15021
Indicators of Compromise
- Unexpected <script>, <iframe>, or event-handler attributes (onerror, onload) stored in WordPress options related to the Gotham Block Extra Light plugin
- Outbound requests from visitor browsers to unfamiliar domains shortly after rendering pages that use this plugin
- Recent administrator-level changes to plugin settings without a corresponding change-management ticket
Detection Strategies
- Query the wp_options table for plugin-related option names and inspect values for HTML or JavaScript syntax
- Compare current plugin source files against the official versions to identify unauthorized modifications
- Review WordPress audit logs for administrator activity touching the Gotham Block Extra Light settings page
Monitoring Recommendations
- Enable a WordPress activity logging plugin to capture administrator setting changes with user attribution
- Forward web server access logs to a centralized analytics platform and alert on anomalous response payloads containing inline scripts
- Implement Content Security Policy (CSP) reporting to surface unexpected script sources executing on the site
How to Mitigate CVE-2025-15021
Immediate Actions Required
- Update the Gotham Block Extra Light plugin to the version published in changeset 3438393 or later
- Audit all administrator accounts and remove privileges from any account that does not require them
- Inspect existing plugin settings for stored HTML or JavaScript payloads and remove any unauthorized content
Patch Information
The vendor addressed the issue in the commit recorded as changeset 3438393 on the WordPress plugin repository. Site operators should upgrade to a version newer than 1.5.0 that includes this fix. Verify the installed version through the WordPress plugin management interface after applying the update.
Workarounds
- Deactivate the Gotham Block Extra Light plugin until the patched version can be deployed
- Restrict administrator-level access on multi-site networks to trusted super administrators only
- Deploy a strict Content Security Policy that disallows inline scripts to reduce the impact of any stored payload
# Update the plugin via WP-CLI
wp plugin update gotham-block-extra-light
# Verify the installed version
wp plugin get gotham-block-extra-light --field=version
# If patching is delayed, deactivate the plugin
wp plugin deactivate gotham-block-extra-light
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

