CVE-2024-9655: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon widget in versions up to and including 6.6.2. The vulnerability was discovered and disclosed on November 1, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the Icon widget component. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N by NIST, while Wordfence assigned it a score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising the security of site visitors (NVD).

Users should update to a version newer than 6.6.2 to protect against this vulnerability. The issue has been patched in subsequent releases (WordPress Plugin).