The Nexa Blocks WordPress plugin has a stored cross‑site scripting flaw that allows attackers to inject malicious script code into pages or content created by the plugin. The vulnerability arises from an inadequate sanitization of user input, meaning that arbitrary JavaScript can be embedded and executed in the browsers of users who view the affected content, potentially leading to session hijacking, data theft, or defacement. The rooted weakness is identified as CWE‑79.

WordPress sites using the Nexa Blocks plugin version 1.1.0 or earlier are impacted. The vulnerability description covers all releases from the earliest available through to 1.1.0 inclusive; any installation that has not yet upgraded beyond that version remains vulnerable.

The CVSS score of 6.5 indicates a medium severity flaw. The EPSS score of less than 1% signals a very low probability that the vulnerability is currently being exploited in the wild, and the entry is not listed in the CISA KEV catalog. The likely attack vector involves a threat actor submitting malicious content through the plugin’s input fields, which is then stored and later rendered. Once the page containing the injected script loads in a victim’s browser, the payload executes with the user’s privileges, possibly compromising the user’s session or the site’s integrity.