This vulnerability is an improper neutralization of user input when generating web pages, which permits a DOM‑based cross‑site scripting attack. Attackers can embed malicious script that will execute in the victim’s browser when the compromised page is rendered, potentially allowing for session hijacking, credential theft, or defacement of the site’s content. The weakness is a classic input‑validation failure (CWE‑79).

The affected product is the WordPress plugin "B Blocks" supplied by bPlugins. All releases from the introduction of the plugin through version 2.0.5 are vulnerable; later releases are considered unaffected.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of mass exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be a web‑browser based DOM manipulation, where an attacker supplies crafted input (for example in a URL or form field) that is incorporated into the page without proper encoding. Successful exploitation would allow an attacker to run code in the context of the site’s visitors. This is a typical client‑side XSS scenario with potentially widespread impact on any user visiting the affected site.