Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-delivered unauthenticated XSS (AV:N/PR:N) needing victim click (UI:R); injected script crosses into the user's session (S:C) with limited C/I/A impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions.
AnalysisAI
Cross-site scripting in the Gutenverse Form WordPress plugin (versions ≤ 2.4.7) lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim interacts with a crafted link or page. The CVSS:3.1 score is 7.1 with a changed scope, reflecting that injected script crosses the trust boundary into the user's authenticated WordPress session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires victim user interaction (CVSS UI:R) - the target must click an attacker-crafted link or visit/submit attacker-influenced content that reaches a Gutenverse Form rendering path on a site running plugin version ≤ 2.4.7. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and largely consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious URL or form input containing a JavaScript payload targeting a Gutenverse Form endpoint and lures a logged-in WordPress user or administrator into clicking it. When the victim's browser renders the unsanitized response, the script executes in their authenticated session - enabling session/cookie theft, actions on the victim's behalf, or admin-panel manipulation. … |
| Remediation | No vendor-released patch version was identified in the provided data - the input names only the vulnerable range (≤ 2.4.7) and does not cite a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations to identify Gutenverse Form plugin presence and installed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39702
GHSA-4vr7-2w2q-jv5q