CVE-2024-10484: 
NixOS vulnerability analysis and mitigation

The Spectra – WordPress Gutenberg Blocks plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10484) in versions up to and including 2.16.2. The vulnerability exists in the plugin's 'Team' widget due to insufficient input sanitization and output escaping on user-supplied attributes. The issue was discovered and disclosed in December 2024 (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impacts (C:L/I:L) and no availability impact (A:N) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update their Spectra – WordPress Gutenberg Blocks plugin to version 2.16.3 or later, which contains the security fix for this vulnerability. A patch has been released and is available through the WordPress plugin repository (WordPress Plugin).