Skip to main content

Gutenverse Form CVE-2026-56040

| EUVDEUVD-2026-39702 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-4vr7-2w2q-jv5q
7.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-delivered unauthenticated XSS (AV:N/PR:N) needing victim click (UI:R); injected script crosses into the user's session (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:03 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions.

AnalysisAI

Cross-site scripting in the Gutenverse Form WordPress plugin (versions ≤ 2.4.7) lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim interacts with a crafted link or page. The CVSS:3.1 score is 7.1 with a changed scope, reflecting that injected script crosses the trust boundary into the user's authenticated WordPress session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload in form input/URL
Delivery
Deliver crafted link to logged-in WordPress user
Exploit
Victim interaction renders unsanitized output
Execution
Script executes in victim's authenticated session
Impact
Steal session/perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires victim user interaction (CVSS UI:R) - the target must click an attacker-crafted link or visit/submit attacker-influenced content that reaches a Gutenverse Form rendering path on a site running plugin version ≤ 2.4.7. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and largely consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL or form input containing a JavaScript payload targeting a Gutenverse Form endpoint and lures a logged-in WordPress user or administrator into clicking it. When the victim's browser renders the unsanitized response, the script executes in their authenticated session - enabling session/cookie theft, actions on the victim's behalf, or admin-panel manipulation. …
Remediation No vendor-released patch version was identified in the provided data - the input names only the vulnerable range (≤ 2.4.7) and does not cite a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations to identify Gutenverse Form plugin presence and installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy