CVE-2025-2303

CVE-2025-2303 is a remote code execution (RCE) vulnerability in the Block Logic – Full Gutenberg Block Display Control plugin for WordPress, affecting all versions up to and including 1.0.8. The flaw resides in the block_logic_check_logic function, which performs unsafe evaluation of user-controlled input, as classified under CWE-94 (Improper Control of Generation of Code). Published on 2025-03-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H), indicating high severity due to its potential for complete server compromise.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying malicious input to the affected function, they can execute arbitrary code on the WordPress server, potentially leading to full control over the hosting environment, data exfiltration, or further lateral movement.

Advisories and patches are detailed in provided references: the vulnerable code appears at line 127 in the plugin's 1.0.8 tag on the WordPress trac, a fix is implemented in changeset 3430763, and Wordfence's threat intelligence page offers additional analysis and mitigation guidance for this CVE.