Impact
The vulnerability in GenerateBlocks allows authenticated contributors to inject arbitrary JavaScript via the headline block's linkMetaFieldType attribute. These scripts are stored and will run when any user follows the link, leading to potential data theft or credential compromise. The flaw results from insufficient input sanitization and escaping, and is classified as a stored XSS (CWE‑79).
Affected Systems
WordPress sites that use the GenerateBlocks plugin version 2.2.1 or earlier, including all versions up to that point. The plugin is maintained by edge22 and appears in the WordPress plugin repository. Affected installs are those that have the headline block enabled and the dynamic link attribute capability active.
Risk and Exploitability
The CVSS score of 6.4 indicates moderate risk, and the EPSS score is not available, suggesting no publicly reported exploit data yet. The vulnerability is not listed in CISA's KEV catalog. The attack requires contributor‑level authentication, which is common in many multisite WordPress configurations, and leverages a stored payload that is served to all site visitors. Because the JavaScript executes on link click, the risk is limited to situations where users interact with the headline link, but it can be leveraged to hijack sessions or phish credentials.
OpenCVE Enrichment