The Ultimate Blocks plugin for WordPress contains a DOM‑based XSS flaw caused by improper neutralization of input during page generation (CWE‑79). When an attacker supplies malicious payloads within block content that the plugin does not correctly sanitize, the payload is executed in the victim's browser. This allows the attacker to steal cookies, hijack sessions, deface the site, or redirect users to malicious domains. The impact is local to the victim’s browser but can lead to broader data theft or compromise of user accounts on the compromised site.

All WordPress sites that use the Ultimate Blocks plugin through version 3.2.7 are affected. The vulnerability applies to every release up to and including 3.2.7, regardless of the specific WordPress version.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, reducing immediate concern. Exploitation requires a web‑based attack vector, typically through a crafted link or a social‑engineering trick that leads the victim to a page containing an unsafe block. Because the flaw is DOM‑based, it generally requires user interaction to trigger, but it can also be triggered via embedded URLs or content that visitors inadvertently load.