CVE-2024-8536: 
WordPress vulnerability analysis and mitigation

The Ultimate Blocks WordPress plugin before version 3.2.2 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-8536. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on September 9, 2024. The issue affects the plugin's block attributes handling functionality, specifically impacting users with contributor roles and above (WPScan).

The vulnerability stems from improper validation and escaping of block attributes before they are output back in a page or post where the block is embedded. This has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required user interaction (NVD).

When exploited, this vulnerability allows authenticated users with contributor role or higher privileges to perform Stored Cross-Site Scripting attacks. The impact is considered medium severity, with potential for compromising user data and website integrity through malicious script execution (WPScan).

The vulnerability has been patched in Ultimate Blocks version 3.2.2. Users are strongly advised to update their installations to this version or later to mitigate the security risk (WPScan).