The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress suffers from a DOM-based stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input in HTML data attributes. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages via insufficiently sanitized user-supplied attributes. This malicious code executes in the context of any user viewing the affected page, potentially leading to information disclosure or session hijacking. The vulnerability affects all versions up to and including 3.2.45. There is no patch or official vendor advisory currently available. The CVSS 3.1 vector indicates network attack vector, low attack complexity, privileges required at low level, no user interaction, scope changed, and low impact on confidentiality and integrity, with no impact on availability.

Successful exploitation allows an authenticated contributor or higher to inject and store malicious scripts that execute in the browsers of users viewing the infected pages. This can lead to unauthorized actions performed in the context of the victim user, such as theft of session tokens or other sensitive information. The impact is limited to confidentiality and integrity with no availability impact. The vulnerability requires authenticated access at contributor level or above, reducing the attack surface compared to unauthenticated attacks.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only. Monitor plugin updates from stellarwp and apply any released patches promptly. Consider implementing additional input validation or output escaping controls if possible. No vendor advisory or official fix is currently available, so no direct patch can be applied at this time.