CVE-2024-6884: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks with AI by Kadence WP WordPress plugin, prior to version 3.2.53, contains a stored Cross-Site Scripting (XSS) vulnerability. The issue was discovered by Dmitrii Ignatyev and publicly disclosed on July 18, 2024. The vulnerability affects users with contributor roles and above, allowing them to perform stored XSS attacks through unvalidated and unescaped block options in pages or posts (WPScan).

The vulnerability stems from the plugin's failure to properly validate and escape certain block options before outputting them back in pages or posts where the block is embedded. The issue specifically affects the Countdown block widget, where malicious code can be injected through the Days/Hours/Minutes or Seconds Label fields in the Countdown layout section. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users with contributor privileges or higher to inject malicious scripts into pages or posts. These scripts are then executed when other users view the affected content, potentially leading to the exposure of sensitive information or manipulation of user interactions (WPScan).

Users are advised to update their Gutenberg Blocks with AI by Kadence WP plugin to version 3.2.53 or later, which contains the security fix for this vulnerability (WPScan).