The vulnerability in the Nova Blocks plugin allows an attacker to inject malicious JavaScript into web pages that are generated by the plugin. The flaw stems from improper neutralization of input during page generation, which is a classic cross‑site scripting weakness classified as CWE‑79. If attacker‑supplied content is placed into a block, it could lead to cookie theft, session hijacking, defacement or other integrity‑related damage to user data.

The affected product is the WordPress Nova Blocks plugin provided by pixelgrade. All releases from the earliest available version up to and including version 2.1.8 are vulnerable; WordPress sites that still use those versions run the risk of exploitation.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that active exploitation is currently low but still possible. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could embed malicious payloads within the plugin’s content handling path, and the likely attack vector is through crafted requests that feed untrusted input to the rendering engine. Visitors who access affected pages could then be exposed to the injected script, compromising confidentiality, integrity, and possibly availability of the site.