Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Editor auth (PR:H) and deployment-specific conditions (AC:H) required; victim page visit needed (UI:R); scope changes to visitor browsers (S:C).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Gutenverse - WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AnalysisAI
Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the attacker must hold an authenticated WordPress account with editor-level permissions or higher - unauthenticated or subscriber/contributor-level access is insufficient; (2) the target WordPress installation must be configured as a multi-site network OR must have the unfiltered_html capability explicitly disabled (non-default configuration); and (3) the victim must subsequently load a page where the injected payload is rendered. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 4.4 (Medium) with vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N accurately reflects the constrained real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor with a compromised or insider editor-level WordPress account on a multi-site installation injects a malicious JavaScript payload into a Gutenverse admin settings field - for example a global variable or API-controlled style setting processed through class-global-variable.php or class-api.php. The payload is stored in the database without sanitization and rendered to every visitor who loads an affected page, enabling session cookie theft, credential phishing overlay injection, or redirection to attacker-controlled infrastructure. … |
| Remediation | Upstream fix commit (changeset 3578328 at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578328%40gutenverse&new=3578328%40gutenverse) has been published to the WordPress plugin repository; update Gutenverse to the version incorporating this changeset as soon as it is tagged and available via the WordPress plugin updater. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39959
GHSA-pgr2-vvf9-xmqw