CVE-2025-2303
Published: 22 March 2025
Summary
CVE-2025-2303 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Block Logic – Full Gutenberg Block Display Control plugin for WordPress is vulnerable to remote code execution in all versions through 1.0.8. The flaw resides in the block_logic_check_logic function, which performs unsafe evaluation of user-supplied input, enabling code injection as classified under CWE-94. The issue carries a CVSS 3.1 score of 8.8.
Authenticated attackers holding Contributor privileges or higher can exploit the vulnerability over the network to execute arbitrary code on the hosting server, achieving full confidentiality, integrity, and availability impact without user interaction.
Public references point to the vulnerable code in the plugin repository and a subsequent changeset that addresses the issue, indicating an available update beyond version 1.0.8; Wordfence has also published associated threat intelligence.
EPSS scores remain low with only minimal movement between the current value of 0.0220 and the recorded peak of 0.0237.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7190
Vulnerability details
The Block Logic – Full Gutenberg Block Display Control plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.8 via the block_logic_check_logic function. This is due to the unsafe evaluation of user-controlled input.…
more
This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via unsafe eval of user input in public-facing WordPress plugin directly maps to T1190 for exploitation; enables arbitrary code execution on server mapping to T1059 Command and Scripting Interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE vulnerability by identifying, reporting, and patching the unsafe evaluation flaw in the block_logic_check_logic function of the WordPress plugin.
Requires validation of user-controlled input to the block_logic_check_logic function, preventing malicious code from being executed via unsafe evaluation.
Enforces least privilege for authenticated users like Contributors, limiting access to plugin functions that process user input or reducing post-exploitation impact.