The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin is vulnerable due to insufficient sanitization of the Custom CSS field, allowing stored cross‑site scripting. An attacker with Contributor or higher access can save malicious code that will be rendered on any page containing the injected CSS, potentially running arbitrary JavaScript in the context of any visitor’s browser. The ability to execute scripts in victims’ browsers can lead to social engineering, credential theft, or defacement of the site. The vulnerability is a typical interface‑based injection flaw as identified by CWE‑79.

WordPress installations using the Spectra Gutenberg Blocks plugin version 2.19.14 or earlier are affected. The vulnerability exists across all versions up to and including 2.19.14, regardless of other plugins or themes installed. Users must verify the plugin version in their WordPress dashboard and ensure they are not running a vulnerable release.

The CVSS score of 6.4 indicates a medium severity. The EPSS score is less than 1%, suggesting current exploitation is rare, and the vulnerability is not listed in CISA’s KEV catalog. However, the attack requires authenticated access at Contributor level or higher, which many site administrators and editors possess. Once injected, the stored script can affect all users who view the affected page, providing a wide range of potential damage. The likely attack vector is through the Custom CSS editor in the plugin’s interface, where an attacker can insert malicious inline styles or script tags that are stored in the database and later rendered on page load. This condition demonstrates that an attacker can drive arbitrary code execution in victim browsers without requiring external files or other exploits.