The Advance Block Extend plugin for WordPress is vulnerable to stored cross‑site scripting through the TitleColor attribute of the Latest Posts Gutenberg block. Because the plugin does not sanitize or escape this attribute, an authenticated user with Contributor level or higher can inject arbitrary JavaScript. When an affected user loads a page containing the injected block, the malicious script runs in the visitor's browser, enabling cookie theft, phishing, or other client‑side attacks. This flaw represents a classic injection weakness (CWE‑79).

The vulnerability affects the Advance Block Extend plugin distributed by iamjaydip, known as the Advance Block Extend plugin, for all WordPress installations that have versions up to and including 1.0.4. Any WordPress site that has installed this plugin and has users with Contributor or higher roles is susceptible. No other products or versions are impacted according to the vendor information.

The CVSS v3 base score of 6.4 classifies this flaw as medium severity, but the EPSS score of less than 1% indicates a very low probability of widespread exploitation at present. Because the flaw requires authenticated Contributor or admin access, attackers must first compromise legitimate credentials or obtain a high‑privilege role. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited active exploitation. Nonetheless, once a site owner authorizes a contributor, they could inject payloads that run for every visitor to the site, potentially affecting large traffic volumes. The necessary access level and lack of an immediate public exploit keep the risk moderate but non‑negligible for active WordPress sites relying on this plugin.