CVE-2025-5842
Published
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The Modern Design Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
<p>Modern Design Library is a toolkit of opinionated Gutenberg blocks for WordPress. All optional blocks are registered using PHP-only block registration (<code>autoRegister</code>) — no JavaScript build step or Node.js tooling required.</p>
<p>The plugin ships with:</p>
<ul>
<li><strong>Colored Line</strong> — a fully customisable horizontal separator block with striped, shade, and dotted style variants (classic JS-registered block).</li>
<li><strong>Advanced Separator</strong> <em>(experimental)</em> — a PHP-only separator with configurable width, height, padding, alignment, and three decorative variants.</li>
<li><strong>Advanced Heading</strong> <em>(experimental)</em> — 13 decorative heading styles, heading level selector (H1–H6), optional tagline, and full typography/spacing/border block support controls. Accent decorations automatically follow the text colour.</li>
<li><strong>Marquee</strong> <em>(experimental)</em> — a single infinitely scrolling text row. Stack multiple blocks for multi-row layouts. Speed (Slow/Medium/Fast) and direction (Left/Right) are configurable. Animation script is loaded lazily — only on pages containing the block.</li>
<li><strong>Call to Action</strong> <em>(experimental)</em> — a CTA banner with heading, subheading, button label/URL, three visual variants (Primary/Secondary/Dark), and native colour overrides.</li>
<li><strong>Author Box</strong> <em>(experimental)</em> — displays a user card with avatar, bio, email, and LinkedIn link. User is selected from a dropdown. LinkedIn URL is stored as user meta (set on the user’s profile page).</li>
</ul>
<p>Optional blocks are enabled from <strong>Settings <span aria-hidden="true" class="wp-exclude-emoji">→</span> Modern Design Library <span aria-hidden="true" class="wp-exclude-emoji">→</span> Modules</strong>.</p>
<p>The optional blocks require the <strong>Gutenberg plugin</strong> or <strong>WordPress 7.0+</strong> for the <code>autoRegister</code> block support.</p>
<p>Read more on <a href="https://getbutterfly.com/wordpress-plugins/modern-design-library-ui/" rel="nofollow ugc">getButterfly</a>.</p>
<p>For a deep dive into how the PHP-only blocks work, read <a href="https://getbutterfly.com/php-only-block-registration-in-wordpress/" rel="nofollow ugc">PHP-Only Block Registration in WordPress 7.0</a>.</p>
WordPress Plugin Directory