WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor
On September 9, 2021 WordPress version 5.8.1 was released fixing three vulnerabilities.
The official blog post states:
"Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor."
The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post unfiltered_html.