CVE-2024-7590: 
NixOS vulnerability analysis and mitigation

The Spectra WordPress Gutenberg Blocks plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-7590. The vulnerability affects versions up to and including 2.14.1 and was discovered on July 31, 2024. The issue lies in insufficient input sanitization and output escaping on user-supplied attributes, specifically in the FAQ heading tag (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium) from Patchstack and 5.4 (Medium) from NIST. The attack vector requires authenticated access with contributor-level privileges or higher. The vulnerability specifically affects the FAQ heading tag functionality within the plugin (NVD, Patchstack).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to various attacks including malicious redirects, unauthorized advertisements, and other HTML payload injections (WPScan, Patchstack).

The vulnerability has been fixed in version 2.15.1 of the Spectra WordPress Gutenberg Blocks plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).