The Vulnerability is a stored Cross‑Site Scripting flaw that allows authenticated users with contributor or higher privileges to embed arbitrary scripts into WordPress pages via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The CategorySlateLayout::render() method outputs the blockId directly into an HTML class attribute without proper sanitization, so any script included will execute whenever the page is viewed. This can enable attackers to hijack user sessions, steal cookies, deface the site, or run further malicious payloads. The impact is therefore integrity and confidentiality of site data for any visitor who loads the affected page.

WordPress sites that have installed the BetterDocs Knowledge Base plugin in any version up to and including 4.5.3. The vulnerability exists specifically in the CategorySlateLayout block used for layout configuration in the Block Editor. To be affected one must have access to the WordPress admin interface with contributor-level or higher permissions, and use or edit the vulnerable block on a page or post.

The CVSS score of 6.4 indicates a moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no active exploit has been reported publicly. The attack path requires authenticated access at contributor level or higher, meaning the threat is primarily internal or from compromised contributors. An attacker who succeeds could inject scripts that persist until the page is viewed, leading to session theft or defacement. Given the authentication requirement, the probability of exploitation in the wild is moderate but significant if contributor accounts are weak or compromised.