Description The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Add a Lottie Animation block to a post and put the following payload in the "Lottie Animation URL" option of the block: https://lottie.host/9a802a6b-8684-423f-9eb3-c88be9caa335/QuOMXrIn7t.lottie" onmouseover=alert(/XSS/)//
The XSS will be triggered when any user will (pre)view the post and move the mouse over the generated image