The bPlugins Icon List Block plugin contains a stored cross‑site scripting (XSS) flaw caused by improper neutralization of user‑supplied input during web page generation. This vulnerability allows an attacker to embed malicious script code into the icon‑list block content, which will execute in the browsers of any visitor who views that content. The resulting impact can include cookie theft, session hijacking, defacement, or execution of arbitrary client‑side code, thereby compromising confidentiality and potentially integrity of user data. The weakness is classified as CWE‑79 (Improper Neutralization of Input).

Affected systems are WordPress sites that have installed the bPlugins Icon List Block plugin. All versions from the first release (n/a) through version 1.2.3 are vulnerable. No other plugins or components are listed as affected in the CVE data.

The CVSS v3.1 score of 6.5 indicates moderate severity. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need authenticated access to a post or page editor with permission to modify content in order to inject malicious payloads. Unauthenticated attackers would therefore require additional compromise or privilege escalation to deliver the payload. The likely attack vector is through the WordPress administration interface where the icon‑list block is edited.