The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) in its "Social Icons" block. This vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level or higher privileges can inject arbitrary JavaScript code into pages, which executes when other users access those pages. The vulnerability affects all versions up to 4.5.9. The CVSS 3.1 base score is 5.4 (medium severity), with network attack vector, low attack complexity, requiring privileges, user interaction, and partial impact on confidentiality and integrity but no impact on availability. No patch or official remediation guidance is currently provided by the vendor.

Successful exploitation allows authenticated users with contributor-level access or higher to inject and store malicious scripts within pages via the Social Icons block. These scripts execute in the context of other users viewing the page, potentially leading to partial confidentiality and integrity compromise. There is no impact on availability. The vulnerability could facilitate actions such as session hijacking or unauthorized actions performed by victim users, but only within the scope of the affected plugin and site.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access to trusted users only and consider removing or disabling the Social Icons block if feasible. Monitor for updates from the plugin vendor or WordPress security channels to apply any forthcoming patches promptly.