CVE-2024-8318: 
WordPress vulnerability analysis and mitigation

The Attributes for Blocks plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-8318) affecting all versions up to and including 1.0.6. The vulnerability exists due to insufficient input sanitization and output escaping in the 'attributesForBlocks' parameter (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page. The issue stems from improper handling of the 'attributesForBlocks' parameter. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with Contributor-level access to inject malicious scripts that execute in users' browsers when they visit affected pages. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks (WordPress Plugin).

The vulnerability has been patched in version 1.0.7 of the Attributes for Blocks plugin. Site administrators should update to this version or later immediately. The update implements proper security controls by ensuring users without unfiltered_html capability can no longer add attributes, and existing attributes are stripped when such users update posts (WordPress Plugin).