CVE-2024-10678: 
WordPress vulnerability analysis and mitigation

The Ultimate Blocks WordPress plugin versions before 3.2.4 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered on November 22, 2024, and was assigned CVE-2024-10678. The vulnerability affects users with contributor role and above who can exploit the plugin's failure to properly validate and escape block options before outputting them in pages or posts (WPScan).

The vulnerability stems from improper validation and escaping of block options in the Ultimate Blocks plugin. When these block options are output back in a page or post where the block is embedded, it creates an opportunity for stored XSS attacks. The vulnerability has been assigned a CVSS 3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of malicious JavaScript code in users' browsers when viewing affected pages (WPScan).

The vulnerability has been patched in Ultimate Blocks version 3.2.4. Users are advised to update to this version or later to mitigate the security risk (WPScan).