The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-12045. This vulnerability arises from improper neutralization of input in the maker title value of the Google Maps block, allowing authenticated administrators to inject malicious scripts into pages. The vulnerability affects all plugin versions up to 5.0.9 and specifically impacts multi-site WordPress setups or installations with unfiltered_html disabled. The CVSS 3.1 base score is 4.4 (medium), with attack vector network, high attack complexity, requiring high privileges, no user interaction, and impacts confidentiality and integrity with scope changed. No known exploits in the wild or patch information is currently available.

An authenticated attacker with administrator privileges can inject arbitrary scripts into pages via the Google Maps block's maker title value. These scripts execute when users access the compromised pages, potentially leading to unauthorized actions or data exposure within the affected WordPress multi-site or restricted installations. The impact is limited by the requirement for administrator access and specific WordPress configurations. The CVSS score of 4.4 reflects a medium severity with limited confidentiality and integrity impact and no availability impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should carefully control access to the plugin and consider restricting administrator privileges to trusted users only. Additionally, review and sanitize any input related to the Google Maps block maker title value manually if possible. Monitoring official wpdevteam communications and WordPress plugin repositories for updates is recommended.