The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows a DOM‑Based Cross‑Site XSS attack. Based on the description, it is inferred that malicious user‑supplied content can be injected into the page rendered by the WordPress Hyperlink Group Block plugin, leading to the execution of arbitrary JavaScript in the context of the victim's browser session. The impact may include theft of session cookies, defacement of content, or loading of malware, thereby compromising confidentiality, integrity, and availability of the affected site.

WordPress sites using the Hyperlink Group Block plugin developed by Daniel Floeter, specifically versions 2.0.1 and earlier, are affected. The vulnerability spans the entire range from the first release through 2.0.1, with no higher versions listed in the data.

The CVSS score of 6.5 rates this as a medium‑severity issue, while the EPSS score of less than 1% indicates a very low probability of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to craft a malicious hyperlink or embed script within the block content, and the victim must load that content in a browser that respects the plugin’s output. Based on the description, it is inferred that the attacker can craft a malicious hyperlink or embed script within the block content. Because this is a DOM‑based XSS, the attacker can manipulate the page after it loads, meaning user interaction fuels the attack vector.