The CozyThemes Cozy Blocks plugin contains a stored cross‑site scripting flaw that improperly sanitizes user input when generating web pages. An attacker can embed malicious script code that is preserved in the database and executed whenever a page or post containing the affected block is viewed. This reach can allow the attacker to steal session cookies, deface the site, or inject further malware into visitors’ browsers, thereby compromising confidentiality, integrity, and availability of the site content.

WordPress sites that have the CozyBlocks plugin (CozyThemes – Cozy Blocks) installed at any version up to and including 2.1.6 are affected. All other plugin versions are not known to contain this flaw.

The CVSS score of 6.5 indicates a medium‑severity threat. The EPSS score of <1% suggests a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description the likely attack vector is the insertion of malicious script via a user‑editable block; an attacker must have permission to edit or create blocks or otherwise inject content into the post, after which the malicious script will run for all visitors. The vulnerability is persistent, making remediation essential.