Gutenify WordPress Plugin CVE-2025-53324
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeYatri Gutenify gutenify allows Stored XSS.This issue affects Gutenify: from n/a through <= 1.5.7.
AnalysisAI
Stored cross-site scripting (XSS) in Gutenify WordPress plugin versions through 1.5.7 allows remote attackers to inject malicious scripts into site content. Successfully exploited, attackers can execute arbitrary JavaScript in victim browsers when authenticated administrators or editors view the compromised content. EPSS exploitation probability is minimal (0.02%, 6th percentile), and no active exploitation or public POC is confirmed. While CVSS assigns high (7.1) severity due to changed scope, real-world risk is moderate given the requirement for user interaction and the narrow attack surface of a WordPress block editor plugin.
Technical ContextAI
Gutenify is a WordPress block editor (Gutenberg) plugin for site building and pattern libraries. The vulnerability stems from CWE-79: Improper Neutralization of Input During Web Page Generation. User-controlled input passed through the plugin's block editor interface is not properly sanitized or encoded before being rendered in the WordPress admin dashboard or front-end site. This allows HTML and JavaScript code injection that persists in the database (stored XSS), executing whenever the affected content is viewed. The changed scope (S:C) in the CVSS vector indicates the injected script can interact with resources beyond the vulnerable plugin's security context, potentially accessing WordPress admin functionality or session data.
Affected ProductsAI
WordPress Gutenify plugin versions from earliest available release through 1.5.7 are confirmed affected. The vulnerability was reported by Patchstack (audit@patchstack.com) and documented in their vulnerability database. No CPE identifier is provided in the CVE record. Organizations should check installed plugin version via WordPress admin dashboard (Plugins → Installed Plugins) or by examining the gutenify/gutenify.php file header for version metadata. Vendor advisory is available at Patchstack database entry https://patchstack.com/database/Wordpress/Plugin/gutenify/vulnerability/wordpress-gutenify-plugin-1-5-6-cross-site-scripting-xss-vulnerability.
RemediationAI
Upgrade Gutenify plugin to version 1.5.8 or later if available (verify current version at WordPress.org plugin repository as Patchstack advisory references 1.5.6 patch testing but CVE scope extends to 1.5.7, suggesting 1.5.8+ contains the fix). Access WordPress admin dashboard, navigate to Plugins → Installed Plugins, locate Gutenify, and click Update Now if update is available. Review Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gutenify/ for specific patch version confirmation. If immediate patching is not feasible, temporarily disable the Gutenify plugin via Plugins → Installed Plugins → Deactivate (note this will remove Gutenify blocks from active pages until reactivation with patched version). As compensating control, restrict WordPress editor/admin access to trusted users only and enable Content Security Policy headers to limit inline script execution, though CSP may interfere with legitimate WordPress admin functionality and requires careful tuning.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today