The vulnerability in the Maxi Blocks plugin allows an authenticated user with Author or higher privileges to store malicious JavaScript via the sc_styles parameter in the /wp-json/maxi-blocks/v1.0/style-card REST API. The plugin fails to sanitize and escape this input, so when the style card styles are loaded on any page, including the WordPress admin interface, the injected script executes in the context of those browsers. This can lead to session hijacking, credential theft, or other client‑side attacks. The flaw does not provide native remote code execution on the server, but it enables arbitrary script execution in user browsers that view affected content.

WordPress sites running the Maxi Blocks Builder plugin version 2.1.9 or earlier. The affected code resides in the class‑maxi-api.php and class‑maxi-style-cards.php files of the plugin, accessible through the REST API endpoint /wp-json/maxi-blocks/v1.0/style-card.

The CVSS score of 6.4 indicates a medium severity vulnerability. Although the EPSS score is not provided, the lack of KEV listing suggests no actively known exploitation. The vulnerability requires authenticated access at Author level or higher, so the attack vector is internal or social engineering to obtain such credentials. Once accessed, the attacker can inject arbitrary scripts that run on every page loading the style card, exposing all site visitors and administrative users to the risk.