The Ultimate Blocks plugin for WordPress contains a DOM‑based cross‑site scripting flaw. An attacker may inject script code into the plugin’s block interface, which is later reflected on the page without proper escaping. The flaw arises from improper neutralization of input during web page generation, allowing malicious payloads to execute client‑side code. Successful exploitation would grant the attacker arbitrary script execution within the context of the victim’s browser, potentially leading to credential theft, phishing, or defacement.

The issue affects any installation of Ultimate Blocks version 3.3.0 or earlier. All prior releases, from the initial release up to and including 3.3.0, contain the vulnerable code path. The vulnerability is present regardless of the size of the WordPress site or traffic level, as it is tied to the plugin’s input handling rather than an external service.

The CVSS score is 6.5, indicating a moderate severity. The EPSS score of <1% suggests that exploitation in the wild has been very rare. This vulnerability is not listed in the CISA KEV catalog. The typical attack path involves a user interacting with the block editor or providing content that includes the malicious payload; the code is executed in the victim’s browser when the affected page is viewed. No special system privileges are required, and the flaw is client‑side, so it does not affect server integrity.