Platform
wordpress
Component
gutenverse
Fixed in
3.4.7
CVE-2026-2924 is a stored Cross-Site Scripting (XSS) vulnerability. It allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which are then executed when a user accesses the injected page. This affects Gutenverse WordPress plugin versions up to and including 3.4.6. The vulnerability is fixed in version 3.4.7.
CVE-2026-2924 in the Gutenverse WordPress plugin exposes a Stored Cross-Site Scripting (XSS) vulnerability. An authenticated attacker, possessing contributor-level access or higher, can inject malicious JavaScript code into WordPress pages. When other users access these pages, the script executes within their browsers, potentially allowing the attacker to steal sensitive information, modify page content, or redirect users to malicious websites. The CVSS score is 6.4, indicating a moderate to high risk. The vulnerability stems from insufficient sanitization of the 'imageLoad' parameter when processing images, enabling code injection.
An attacker with contributor or higher access on a website utilizing the vulnerable Gutenverse plugin can exploit this vulnerability. They can inject malicious JavaScript code through the 'imageLoad' parameter when uploading or modifying images. This code will be stored in the database and executed each time a user accesses the affected page. Successful exploitation requires valid access credentials and the ability to modify page content. The exploitation complexity is relatively low, requiring no advanced technical skills.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update the Gutenverse plugin to version 3.4.7 or later. This update incorporates necessary fixes to properly sanitize user input and prevent malicious script injection. Promptly updating is crucial to protect your website from potential XSS attacks. Additionally, review existing pages for potential injections and remove any suspicious code. Implementing a Content Security Policy (CSP) can further mitigate the risk of XSS.
Update to version 3.4.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the user's browser, potentially allowing the attacker to steal information, modify content, or redirect users to malicious sites.
If you are using the Gutenverse plugin in a version prior to 3.4.7, your website is vulnerable. Perform a security audit to identify any existing potential injections.
If you suspect your website has been compromised, immediately change the passwords of all administrator and contributor users. Conduct a thorough security audit to identify and remove any malicious code. Consider engaging a security professional for assistance.
Yes, updating the plugin to version 3.4.7 or later is the primary solution. However, it’s recommended to review existing pages to remove any previously injected malicious code.
A Content Security Policy (CSP) is an added layer of security that helps prevent XSS attacks by controlling the resources the browser is allowed to load. Implementing a CSP can reduce the risk of exploitation, even if an XSS vulnerability exists.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.