Authenticated Cross-Site Scripting (XSS) vulnerability discovered by Michal Bentkowski (Securitum) in WordPress core block editor (versions <= 5.8).
The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have permission to post unfiltered_html.
Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5, 5.6 updated to 5.6.5, 5.5.5 updated to 5.5.6, 5.5.4 updated to 5.5.6, 5.5.3 updated to 5.5.6, 5.5.2 updated to 5.5.6, 5.5.1 updated to 5.5.6, 5.5 updated to 5.5.6, 5.4.6 updated to 5.4.7, 5.4.5 updated to 5.4.7, 5.4.4 updated to 5.4.7, 5.4.3 updated to 5.4.7, 5.4.2 updated to 5.4.7, 5.4.1 updated to 5.4.7, 5.4 updated to 5.4.7
Update the WordPress to the latest available version (at least 5.8.1).