Description WordPress does not properly escape the “tagName” attribute in the “Template Part block” allowing high-privileged users to perform Stored Cross-Site Scripting (XSS) attacks.
As a contributor, add a “Template Part” block to a post, click on “Start Blank” and then Create. Go into Editor mode and add the following to the wp:template-part block: “tagName”:“img src=x onerror=alert(1) title=x”