A reflected cross‑site scripting flaw in the WordPress WP Block Pack plugin allows an attacker to inject arbitrary JavaScript that is executed in the browser of any visitor who accesses a crafted URL or form submission. The vulnerability arises because the plugin fails to properly neutralize user input before rendering it in the generated webpage. If exploited, the attacker could steal session cookies, deface content, or spread phishing content by deceiving users into interacting with malicious scripts.

All installations of the WP Block Pack plugin for WordPress released by FalconTheme Team, specifically versions up to and including 1.1.6. Users running earlier versions or those before the plugin was first released are also potentially affected.

The CVSS score of 7.1 indicates a high severity with moderate impact on confidentiality and integrity. The EPSS score of less than 1% suggests that, although the vulnerability exists, it is currently unlikely to be widely exploited in the wild. The plugin is not listed in the CISA KEV catalog, and there is no evidence that specific advanced persistent threat groups are actively targeting it. Based on the description, the likely attack vector is an unauthenticated user visiting a malicious link or submitting a malicious query string that triggers the plugin’s incorrect handling of input. Execution would occur only in the victim’s browser, and the attacker would need to bait users into loading the vulnerable page.