Impact
The vulnerability arises from insufficient sanitization and escaping of the 'fonts[].font.font.value' parameter in the admin settings of the Gutenverse plugin. It allows authenticated users with editor-level permissions or higher to store arbitrary JavaScript that will execute whenever a user accesses a page containing is classified as CWE‑79, and its impact is the execution of attacker‑controlled scripts in the context of site visitors. No additional effects such as hijacking or data theft are mentioned in the official description.
Affected Systems
The flaw affects the JegStudio Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin in all releases up to and including version 3.8.0. It is limited to multisite WordPress installations where the 'unfiltered_html' capability has been disabled for roles other than administrators. Any site running these plugin versions under those conditions is vulnerable.
Risk and Exploitability
The CVSS base score for this vulnerability is 4.4, indicating moderate risk. The EPSS score is not available, suggesting no public exploitation evidence. The issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with editor privileges or higher on a multisite WordPress installation that has unfiltered_html disabled, making it an insider or compromised‑account scenario. Because the flaw is a stored XSS, an attacker can inject scripts that execute for all visitors to the affected pages.
OpenCVE Enrichment