Impact
This vulnerability allows an attacker to inject malicious script code into the web pages generated by the WP Travel Gutenberg Blocks plugin. The plugin does not properly neutralize user-supplied input, leading to a classic Cross‑Site Scripting flaw (CWE-79). An attacker who can supply content to the block editor could have that code executed in the browsers of any site visitor or administrator, potentially enabling session hijacking, defacement, or theft of credentials.
Affected Systems
The issue impacts the WP Travel Gutenberg Blocks plugin for WordPress. All installations running version 3.9.2 or earlier are vulnerable; newer releases are not affected.
Risk and Exploitability
The CVSS score of 6.5 reflects a moderate impact, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require an attacker to inject malicious script through the plugin’s input areas, which then runs in the browser of any visitor or administrator.
OpenCVE Enrichment