| Plugin Name | Gutenify |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2025-8605 |
| Urgency | Low |
| CVE Publish Date | 2025-11-17 |
| Source URL | CVE-2025-8605 |
Critical: Stored XSS in Gutenify Count Up block (CVE-2025-8605) — What WordPress Site Owners and Developers Must Do Now
Date: 17 November 2025
Severity: CVSS 6.5 (Medium)
Vulnerable versions: Gutenify ≤ 1.5.9
CVE: CVE-2025-8605
Required privilege: Contributor
As a Hong Kong security expert, I summarise the issue plainly and provide a pragmatic, priority-ordered response for site owners, administrators, developers and hosters. This advisory focuses on defensive actions and secure coding practices; it does not reproduce exploit code.
TL;DR — Immediate actions
- If you run Gutenify and are on version ≤ 1.5.9: update immediately if a patched release is available from the plugin author.
- If you cannot update now: remove or disable the Count Up block, restrict Contributor uploads and block/inspect backend requests that attempt to save HTML-like payloads.
- Enforce least privilege for user accounts: temporarily restrict or audit contributors who can add blocks.
- Search site content (posts, reusable blocks, templates, pattern imports) for saved
