Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.
AnalysisAI
DOM-based cross-site scripting (XSS) in Chief Gnome Garden Gnome Package through version 2.4.1 allows authenticated high-privilege users to inject malicious scripts via improper input neutralization during web page generation. An attacker with administrative credentials can craft requests that execute arbitrary JavaScript in the browsers of other users when they view affected pages. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), significantly limiting real-world exploitation scope. EPSS exploitation probability is minimal at 0.03% (8th percentile), and no public exploit code has been identified.
Technical ContextAI
This is a DOM-based XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin. DOM-based XSS occurs when client-side JavaScript code reads untrusted input (typically from the DOM, user input fields, or URL parameters) and writes it unsafely back into the DOM without proper sanitization or encoding. The vulnerability exists in Chief Gnome Garden Gnome Package (CPE: cpe:2.3:a:chief_gnome:garden_gnome_package:*:*:*:*:*:*:*:*), which is a WordPress plugin. The attack vector is network-based and does not require complex exploitation (AC:L), but the severity is constrained by the requirement for high-privilege authentication and user interaction, placing it in the medium-risk category despite the cross-site scope impact.
RemediationAI
Update Garden Gnome Package to a version newer than 2.4.1 if available from the vendor, Chief Gnome. Consult the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/garden-gnome-package/vulnerability/wordpress-garden-gnome-package-plugin-2-4-1-cross-site-scripting-xss-vulnerability) and the NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2026-39683) for the latest patch release. As a temporary control, restrict administrator access to only trusted users and avoid granting administrative privileges to accounts that do not require them. Review WordPress user roles and permissions to minimize the number of high-privilege accounts that could exploit this vulnerability.
More in Garden Gnome Package
View allThe Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ggpkg' shor
The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ggpkg shortc
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20369
GHSA-77jh-75xf-5vr4