{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2924", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-20T23:06:31.599Z", "datePublished": "2026-04-04T02:26:20.483Z", "dateUpdated": "2026-04-08T17:09:59.366Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:59.366Z"}, "affected": [{"vendor": "jegstudio", "product": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950f7493-4ccb-4a8a-9cc2-23b9ba3a9cd0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468383/gutenverse"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-20T23:25:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T13:45:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T17:51:48.579335Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:02:55.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2924", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T17:51:48.579335Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:00:29.962Z"}}], "cna": {"title": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "jegstudio", "product": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.4.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-20T23:25:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T13:45:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950f7493-4ccb-4a8a-9cc2-23b9ba3a9cd0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468383/gutenverse"}], "descriptions": [{"lang": "en", "value": "The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:59.366Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2924", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:59.366Z", "dateReserved": "2026-02-20T23:06:31.599Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T02:26:20.483Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2924", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T04:17:13.790", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3468383/gutenverse"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950f7493-4ccb-4a8a-9cc2-23b9ba3a9cd0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem", "source": "cna", "vendor": "jegstudio"}, "product": "gutenverse_\u2013_ultimate_wordpress_fse_blocks_addons_&_ecosystem", "vendor": "jegstudio"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T06:20:50.157502+00:00", "value": {"mitigation_remediation": ["Upgrade the Gutenverse plugin to the latest version (3.4.7 or later)", "If an upgrade is not immediately possible, remove or disable the imageLoad feature via plugin settings or custom code", "Implement a web application firewall rule to block script payloads in the imageLoad parameter", "Verify that your WordPress installation is up to date and that user roles follow the principle of least privilege"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting in Gutenverse plugin"}, "threat_synthesis": {"affected_systems": "The affected product is the Gentstudio Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress, versions up to and including 3.4.6. Any WordPress installation that is using a vulnerable version of this plugin and has users with contributor\u2011level permissions is at risk.", "description_and_impact": "The vulnerability allows an attacker who has contributor or higher access to a WordPress site to store malicious JavaScript in the imageLoad parameter of the Gutenverse plugin. The injected script is rendered when any user visits the affected page, resulting in arbitrary script execution and potential data theft or defacement. This is a classic stored XSS flaw as identified by CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity vulnerability. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely authenticated because it requires contributor or higher access to inject the payload. The script is persisted in the database, so it will execute for all users who view the compromised page without any additional action. This elevates the risk for any site using the affected plugin."}}}}, "created": "2026-04-06T20:27:45.932963+00:00", "updated": "2026-04-06T22:21:04.962408+00:00", "vendors": ["jegstudio", "jegstudio$PRODUCT$gutenverse_\u2013_ultimate_wordpress_fse_blocks_addons_&_ecosystem", "wordpress", "wordpress$PRODUCT$wordpress"]}