The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates WordPress plugin suffers from a stored XSS vulnerability (CWE-79) in the Add to Cart block. Specifically, the className, classHook, and blockId attributes are inserted into class and data-id HTML attributes without proper escaping in the render_callback() function. This allows authenticated users with Contributor-level permissions or higher to inject malicious JavaScript code that executes in the context of any user viewing the compromised page. The vulnerability affects all versions up to 6.0.4. The CVSS 3.1 base score is 6.4, indicating medium severity, with network attack vector, low attack complexity, and no user interaction required.

An attacker with Contributor-level or higher privileges can inject persistent malicious scripts into pages via vulnerable attributes. These scripts execute in the browsers of users who visit the infected pages, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability does not affect availability but impacts confidentiality and integrity of user sessions and data. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — no official fix or patch links are provided by the vendor at this time. Users should monitor the vendor's advisory channels for updates. Until a patch is available, restrict Contributor-level access to trusted users only and consider disabling or removing the vulnerable Add to Cart block if feasible. Avoid exposing pages with this block to untrusted users. Follow vendor guidance once an official fix is released.