Description WordPress does not properly escape the βtagNameβ attribute in the βTemplate Part blockβ allowing high-privileged users to perform Stored Cross-Site Scripting (XSS) attacks.
As a contributor, add a "Template Part" block to a post, click on "Start Blank" and then Create.
Go into Editor mode and add the following to the wp:template-part block: "tagName":"img src=x onerror=alert(1) title=x"