The Blocksy Companion plugin for WordPress contains a stored cross‑site scripting vulnerability that allows authenticated users with editor‑level or higher permissions to inject malicious JavaScript through the product_description parameter in the admin settings. Because the plugin does not perform sufficient input sanitization or output escaping, the injected code is persisted and executed whenever a user views a page that displays the product description. This flaw can be used to deface websites, hijack user sessions, or conduct phishing attacks against site visitors. The vulnerability is limited to multi‑site installations or those where the unfiltered_html capability has been disabled, and it affects all plugin versions up to and including 2.1.45.

WordPress sites that have the Blocksy Companion plugin (creativethemeshq:Blocksy Companion) installed in any version up to 2.1.45 are impacted. The flaw is exploitable only in environments that support edit permissions for editors and higher and where the unfiltered_html setting is not enabled, typically multi‑site WordPress configurations.

The CVSS Score of 4.4 indicates moderate overall risk, but the lack of public exploit code and the requirement for authenticated access moderate the threat. EPSS is not available, and the issue is not listed in the CISA KEV catalog. However, once the authenticated attacker has access, the stored XSS can lead to widespread script execution for all site visitors, making the flaw potentially more damaging than the score alone might suggest.