This vulnerability is an improper neutralization of input during web page generation, allowing storage of arbitrary client‑side script by the Design Blocks plugin. The injected script can execute in the browsers of users who view the affected content. Based on the description, it is inferred that an attacker might abuse this to steal credentials, hijack sessions, or deface the site. The weakness is classified as CWE‑79 and does not allow remote code execution or direct server compromise.

WordPress sites that use the devscred Design Blocks exclusive‑blocks plugin, versions from the earliest available release through 1.2.5 inclusive. Any installation of this plugin within that version range is vulnerable.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% indicates a low probability of public exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker be able to submit content that the plugin stores. Based on the description, it is inferred that submission may be possible only by users with block‑creation privileges, such as authenticated users or administrators. Once stored, the payload affects all visitors who render the compromised block. Due to the lack of a more direct attack vector, the practical impact is limited to the web‑client environment of site visitors.