CVE-2024-10637: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks with AI by Kadence WP WordPress plugin before version 3.2.54 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on December 12, 2024, and was assigned identifier CVE-2024-10637. The issue affects users with contributor role and above, as the plugin fails to properly validate and escape certain block options before outputting them back in pages or posts where the block is embedded (NVD CVE, WPScan Report).

The vulnerability stems from insufficient input validation and output escaping in the plugin's block options handling. The issue specifically affects the 'Forms (Adv)' block functionality where the 'family' parameter can be manipulated to inject malicious scripts. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring low attack complexity and user interaction (WPScan Report).

When exploited, this vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. The stored XSS payload would execute whenever users access the affected page or post, potentially leading to client-side code execution in visitors' browsers (NVD CVE).

The vulnerability has been patched in version 3.2.54 of the Gutenberg Blocks with AI by Kadence WP plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Report).