Skip to main content

Gutenify WordPress Plugin CVE-2025-53324

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:50 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 5.4

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeYatri Gutenify gutenify allows Stored XSS.This issue affects Gutenify: from n/a through <= 1.5.7.

AnalysisAI

Stored cross-site scripting (XSS) in Gutenify WordPress plugin versions through 1.5.7 allows remote attackers to inject malicious scripts into site content. Successfully exploited, attackers can execute arbitrary JavaScript in victim browsers when authenticated administrators or editors view the compromised content. EPSS exploitation probability is minimal (0.02%, 6th percentile), and no active exploitation or public POC is confirmed. While CVSS assigns high (7.1) severity due to changed scope, real-world risk is moderate given the requirement for user interaction and the narrow attack surface of a WordPress block editor plugin.

Technical ContextAI

Gutenify is a WordPress block editor (Gutenberg) plugin for site building and pattern libraries. The vulnerability stems from CWE-79: Improper Neutralization of Input During Web Page Generation. User-controlled input passed through the plugin's block editor interface is not properly sanitized or encoded before being rendered in the WordPress admin dashboard or front-end site. This allows HTML and JavaScript code injection that persists in the database (stored XSS), executing whenever the affected content is viewed. The changed scope (S:C) in the CVSS vector indicates the injected script can interact with resources beyond the vulnerable plugin's security context, potentially accessing WordPress admin functionality or session data.

Affected ProductsAI

WordPress Gutenify plugin versions from earliest available release through 1.5.7 are confirmed affected. The vulnerability was reported by Patchstack (audit@patchstack.com) and documented in their vulnerability database. No CPE identifier is provided in the CVE record. Organizations should check installed plugin version via WordPress admin dashboard (Plugins → Installed Plugins) or by examining the gutenify/gutenify.php file header for version metadata. Vendor advisory is available at Patchstack database entry https://patchstack.com/database/Wordpress/Plugin/gutenify/vulnerability/wordpress-gutenify-plugin-1-5-6-cross-site-scripting-xss-vulnerability.

RemediationAI

Upgrade Gutenify plugin to version 1.5.8 or later if available (verify current version at WordPress.org plugin repository as Patchstack advisory references 1.5.6 patch testing but CVE scope extends to 1.5.7, suggesting 1.5.8+ contains the fix). Access WordPress admin dashboard, navigate to Plugins → Installed Plugins, locate Gutenify, and click Update Now if update is available. Review Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gutenify/ for specific patch version confirmation. If immediate patching is not feasible, temporarily disable the Gutenify plugin via Plugins → Installed Plugins → Deactivate (note this will remove Gutenify blocks from active pages until reactivation with patched version). As compensating control, restrict WordPress editor/admin access to trusted users only and enable Content Security Policy headers to limit inline script execution, though CSP may interfere with legitimate WordPress admin functionality and requires careful tuning.

Share

CVE-2025-53324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy