CVE-2024-3901: 
WordPress vulnerability analysis and mitigation

The Genesis Blocks WordPress plugin through version 3.1.3 contains a stored Cross-Site Scripting (XSS) vulnerability, discovered by Dmitrii Ignatyev and publicly disclosed on April 12, 2024. The vulnerability affects WordPress installations using the Genesis Blocks plugin and specifically impacts users with contributor-level permissions or higher who can write posts (WPScan).

The vulnerability stems from improper escaping of attributes provided to custom blocks within the plugin. Several block attributes are affected, including shareButtonStyle, shareButtonSize, shareButtonColor, and shareAlignment. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, Wiz).

When exploited, this vulnerability allows attackers with contributor-level access to conduct stored Cross-Site Scripting (XSS) attacks. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who view the affected posts (WPScan).

The vulnerability has been fixed in Genesis Blocks version 3.1.4. Users are advised to update to this version or later to mitigate the security risk (WPScan).