CVE-2025-60095
📋 TL;DR
This vulnerability in the Stackable WordPress plugin allows attackers to retrieve embedded sensitive data through information leakage in sent data. It affects all WordPress sites using Stackable versions up to 3.18.1. The exposure could include sensitive information embedded in plugin content.
💻 Affected Systems
- Stackable - Ultimate Gutenberg Blocks WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract sensitive information like API keys, credentials, or private content embedded in Stackable blocks, potentially leading to account compromise or data breaches.
Likely Case
Information disclosure of embedded content that may include configuration details, partial credentials, or other sensitive data that could aid further attacks.
If Mitigated
Limited exposure of non-critical embedded data with proper input validation and output encoding in place.
🎯 Exploit Status
Exploitation requires understanding of WordPress plugin structure and data flow patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.18.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Stackable plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Stackable Plugin
WordPressTemporarily disable the vulnerable plugin until patched
wp plugin deactivate stackable-ultimate-gutenberg-blocks
🧯 If You Can't Patch
- Implement WAF rules to block suspicious data retrieval patterns
- Monitor logs for unusual data access patterns to Stackable plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Stackable version numberCheck Version:
wp plugin get stackable-ultimate-gutenberg-blocks --field=versionVerify Fix Applied:
Verify Stackable plugin version is 3.18.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to Stackable plugin endpoints
- Patterns of data extraction from plugin-specific URLs
Network Indicators:
- Abnormal traffic to /wp-content/plugins/stackable-ultimate-gutenberg-blocks/ paths
SIEM Query:
source="wordpress" AND (uri_path="/wp-content/plugins/stackable-ultimate-gutenberg-blocks/*" OR plugin="stackable") AND status=200