Skip to main content

Garden Gnome Package CVE-2026-39683

| EUVDEUVD-2026-20369 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-77jh-75xf-5vr4
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
5.9 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20369
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.

AnalysisAI

DOM-based cross-site scripting (XSS) in Chief Gnome Garden Gnome Package through version 2.4.1 allows authenticated high-privilege users to inject malicious scripts via improper input neutralization during web page generation. An attacker with administrative credentials can craft requests that execute arbitrary JavaScript in the browsers of other users when they view affected pages. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), significantly limiting real-world exploitation scope. EPSS exploitation probability is minimal at 0.03% (8th percentile), and no public exploit code has been identified.

Technical ContextAI

This is a DOM-based XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a WordPress plugin. DOM-based XSS occurs when client-side JavaScript code reads untrusted input (typically from the DOM, user input fields, or URL parameters) and writes it unsafely back into the DOM without proper sanitization or encoding. The vulnerability exists in Chief Gnome Garden Gnome Package (CPE: cpe:2.3:a:chief_gnome:garden_gnome_package:*:*:*:*:*:*:*:*), which is a WordPress plugin. The attack vector is network-based and does not require complex exploitation (AC:L), but the severity is constrained by the requirement for high-privilege authentication and user interaction, placing it in the medium-risk category despite the cross-site scope impact.

RemediationAI

Update Garden Gnome Package to a version newer than 2.4.1 if available from the vendor, Chief Gnome. Consult the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/garden-gnome-package/vulnerability/wordpress-garden-gnome-package-plugin-2-4-1-cross-site-scripting-xss-vulnerability) and the NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2026-39683) for the latest patch release. As a temporary control, restrict administrator access to only trusted users and avoid granting administrative privileges to accounts that do not require them. Review WordPress user roles and permissions to minimize the number of high-privilege accounts that could exploit this vulnerability.

Share

CVE-2026-39683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy