The Custom Query Blocks plugin for WordPress contains a DOM‑based cross‑site scripting flaw in its post‑type‑archive‑mapping feature. This defect arises from improper neutralization of user input during web page generation, enabling an attacker to inject JavaScript that will run in the browser of anyone who visits a page that uses the vulnerable mapping. The consequences of such script execution are typical of XSS and can include defacement, data theft, or other malicious actions, though the exact damage depends on what the injected code can do. These impacts are inferred because the CVE description does not detail specific exploit results.

This vulnerability affects all releases of the Custom Query Blocks plugin by Ronald Huereca whose version is 5.5.0 or earlier. The issue exists from the earliest available release (no specific version is mentioned) through version 5.5.0. Any WordPress site that installs one of these versions remains exposed until the plugin is upgraded.

The CVSS score of 6.5 classifies the flaw as medium severity, while the EPSS score of less than 1 % suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by crafting a malicious link or embedding special input that triggers the vulnerable mapping function; no elevated privileges are required, making the attack vector likely to be "remote via user interaction" or "browser‑based." This assessment is inferred from the description, as the CVE statement does not specify the exact attack path.