{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2951", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-21T20:23:25.224Z", "datePublished": "2026-04-23T02:25:21.258Z", "dateUpdated": "2026-04-23T12:51:56.328Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-23T02:25:21.258Z"}, "affected": [{"vendor": "gutentor", "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c639b8-35f5-4eaf-a663-1adab3ba2a16?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3495930/gutentor"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-22T13:44:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T12:49:27.084318Z", "id": "CVE-2026-2951", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:51:56.328Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2951", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T12:49:27.084318Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:51:51.993Z"}}], "cna": {"title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gutentor", "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.5.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-22T13:44:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c639b8-35f5-4eaf-a663-1adab3ba2a16?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3495930/gutentor"}], "descriptions": [{"lang": "en", "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-23T02:25:21.258Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2951", "state": "PUBLISHED", "dateUpdated": "2026-04-23T12:51:56.328Z", "dateReserved": "2026-02-21T20:23:25.224Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-23T02:25:21.258Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2951", "lastModified": "2026-04-23T14:28:55.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-23T03:16:16.360", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3495930/gutentor"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c639b8-35f5-4eaf-a663-1adab3ba2a16?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor", "source": "cna", "vendor": "gutentor"}, "product": "gutentor_\u2013_gutenberg_blocks_\u2013_page_builder_for_gutenberg_editor", "vendor": "gutentor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T15:00:44.832528+00:00", "value": {"mitigation_remediation": ["Upgrade Gutentor to the latest version (3.5.6 or newer) to remove the input sanitization flaw.", "If immediate update is not possible, limit or remove Contributor\u2011level content editing permissions to block creation and editing and enforce a strong Content\u2011Security\u2011Policy to mitigate script execution.", "Check existing Gutentor blocks for suspicious code and delete or clean them manually; consider re\u2011exporting / re\u2011importing the site\u2019s block library to ensure no residual payloads remain."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin with a version of 3.5.5 or older are affected. The plugin is listed as gutentor. Any site using this plugin can be impacted if it has not been upgraded beyond the stated vulnerability window.", "description_and_impact": "The vulnerability resides in the Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor WordPress plugin. Versions 3.5.5 and earlier allow an attacker with contributor\u2011level or higher access to embed malicious scripts within a block\u2019s HTML. When a user opens the affected page, the stored script executes in the user\u2019s browser, enabling data theft or session hijacking. This aligns with CWE\u201179, a classic client\u2011side injection flaw.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. The EPSS score of less than 1% suggests a very low exploitation probability at present, and the vulnerability is not catalogued in CISA KEV. Exploitation requires an authenticated user with contributor privileges or higher; thus an attacker must first gain legitimate access or social engineering a contributor. No publicly disclosed exploits are reported, making the current risk moderate but present for actively used WordPress installations."}}}}, "created": "2026-04-28T09:26:26.173830+00:00", "updated": "2026-04-28T15:15:34.196768+00:00", "vendors": ["gutentor", "gutentor$PRODUCT$gutentor_\u2013_gutenberg_blocks_\u2013_page_builder_for_gutenberg_editor", "wordpress", "wordpress$PRODUCT$wordpress"]}