CVE-2024-5595: 
WordPress vulnerability analysis and mitigation

The Essential Blocks WordPress plugin before version 4.7.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-5595. The vulnerability was discovered on July 12, 2024, and affects the plugin's block options functionality. The issue stems from improper validation and escaping of block options before they are output back in pages or posts (WPScan, NVD).

The vulnerability exists due to insufficient validation and escaping of block options in the Essential Blocks WordPress plugin. When these block options are embedded in a page or post, they can be manipulated to execute malicious scripts. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that it requires low privileges and user interaction to exploit (NVD).

The vulnerability allows users with contributor role and above to perform Stored Cross-Site Scripting attacks. When successfully exploited, the XSS payload is triggered when a user edits the affected post in normal mode and moves the mouse above the title in the generated card (WPScan).

The vulnerability has been fixed in Essential Blocks version 4.7.0. Users are advised to update to this version or later to mitigate the security risk (WPScan).