The vulnerability occurs in the Custom Block Builder WordPress plugin before version 4.3.0 where the unfiltered_html capability is not checked on all paths that write into block template code fields. Administrators, especially on multisite installations or on single‑site configurations with DISALLOW_UNFILTERED_HTML set, can supply arbitrary JavaScript that is stored and then executed whenever a page embeds the affected block. Because the script runs in the context of the visitor's browser, the impact is that an attacker can execute arbitrary client‑side code, steal user session cookies, redirect visitors, or load additional malicious payloads.

The affected product is the Custom Block Builder WordPress plugin, versions older than 4.3.0. Administrators on multisite setups or single‑site sites that have DISALLOW_UNFILTERED_HTML enabled can inject scripts that will run for any visitor of pages containing the block.

The attack path requires only an administrative account; an attacker can willingly exploit the storage of malicious JavaScript through the block editor. The vulnerability has a CVSS score of 3.5, indicating low severity, because the injected scripts run for all visitors, enabling cookie theft or phishing. No EPSS score is available, and the flaw is not in the CISA KEV list. Because exploitation depends solely on admin privileges, the best defenses are to patch and to restrict or remove the vulnerable block templates.