An improperly neutralized input field in the Services Section block plugin allows an attacker to store malicious JavaScript code within the plugin’s content. When a page containing that stored payload is rendered, the script executes in the victim’s browser, potentially leading to session hijacking, defacement, or delivery of further malware. This flaw is a classic Stored XSS issue (CWE‑79) and can compromise the confidentiality, integrity, and availability of the affected site for users who view the vulnerable block.

The vulnerability affects the WordPress Services Section block plugin from all versions up to and including 1.3.4. Any WordPress installation that has this plugin installed and uses its content blocks is at risk. No specific WordPress core version is required; the issue lies solely within the plugin code.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests exploitation is currently unlikely. The flaw is not listed in CISA's KEV catalog. Exploitation requires that an attacker can inject content into the Services Section block—typically through an administrative or content‑authoring interface. Once the malicious payload is stored, it automatically runs for any user who views the block, making the attack less dependent on privileged access to the server.