Description
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.
Published: 2026-01-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side JavaScript Execution
Action: Patch
AI Analysis

Impact

The Gutenverse Form plugin contains a stored cross‑site scripting flaw that allows an authenticated user with Author-level access or higher to upload an SVG file containing malicious JavaScript. When the file is viewed, the script runs in the victim’s browser, enabling the attacker to steal credentials, deface the site, or perform other client‑side attacks. The vulnerability stems from the plugin adding SVG to the allowed MIME types without sanitizing the file contents.

Affected Systems

All releases of the Jegstudio Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor plugin for WordPress up to and including version 2.3.2 are affected.

Risk and Exploitability

The flaw has a CVSS score of 6.4 indicating moderate severity. The EPSS score is below 1 %, suggesting a low but non‑zero likelihood of exploitation. It is not listed in CISA’s KEV catalog. Attackers must first authenticate to the site with Author or higher privileges, upload a malicious SVG, and then wait for other site visitors to view the file to trigger the JavaScript.

Generated by OpenCVE AI on April 22, 2026 at 00:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gutenverse Form plugin to a version that removes SVG upload support or sanitizes SVG content.
  • If an upgrade cannot be performed immediately, block the SVG MIME type by modifying the upload_mimes filter or using a security plugin to prevent SVG uploads for all users.
  • Locate and delete any SVG files already present in the media library that were uploaded by users with Author or higher roles to eliminate stored payloads.

Generated by OpenCVE AI on April 22, 2026 at 00:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Jegstudio
Jegstudio gutenverse
Wordpress
Wordpress wordpress
Vendors & Products Jegstudio
Jegstudio gutenverse
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.
Title Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Jegstudio Gutenverse
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:07.836Z

Reserved: 2025-12-19T18:47:27.464Z

Link: CVE-2025-14984

cve-icon Vulnrichment

Updated: 2026-01-08T15:15:42.341Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:46.833

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses