Skip to main content

Gutenverse EUVDEUVD-2026-39959

| CVE-2026-12399 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-27 Wordfence GHSA-pgr2-vvf9-xmqw
4.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.0 MEDIUM

Editor auth (PR:H) and deployment-specific conditions (AC:H) required; victim page visit needed (UI:R); scope changes to visitor browsers (S:C).

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:53 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 4.4

DescriptionCVE.org

The Gutenverse - WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

AnalysisAI

Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as editor-level WordPress user
Delivery
Inject script via Gutenverse admin settings field
Exploit
Payload stored in database without sanitization
Execution
Victim loads affected page on multi-site or restricted-HTML site
Persist
Malicious script executes in victim browser
Impact
Session token or credential exfiltration

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the attacker must hold an authenticated WordPress account with editor-level permissions or higher - unauthenticated or subscriber/contributor-level access is insufficient; (2) the target WordPress installation must be configured as a multi-site network OR must have the unfiltered_html capability explicitly disabled (non-default configuration); and (3) the victim must subsequently load a page where the injected payload is rendered. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 4.4 (Medium) with vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N accurately reflects the constrained real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor with a compromised or insider editor-level WordPress account on a multi-site installation injects a malicious JavaScript payload into a Gutenverse admin settings field - for example a global variable or API-controlled style setting processed through class-global-variable.php or class-api.php. The payload is stored in the database without sanitization and rendered to every visitor who loads an affected page, enabling session cookie theft, credential phishing overlay injection, or redirection to attacker-controlled infrastructure. …
Remediation Upstream fix commit (changeset 3578328 at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578328%40gutenverse&new=3578328%40gutenverse) has been published to the WordPress plugin repository; update Gutenverse to the version incorporating this changeset as soon as it is tagged and available via the WordPress plugin updater. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy