Description
The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-06-27
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient sanitization and escaping of the 'fonts[].font.font.value' parameter in the admin settings of the Gutenverse plugin. It allows authenticated users with editor-level permissions or higher to store arbitrary JavaScript that will execute whenever a user accesses a page containing is classified as CWE‑79, and its impact is the execution of attacker‑controlled scripts in the context of site visitors. No additional effects such as hijacking or data theft are mentioned in the official description.

Affected Systems

The flaw affects the JegStudio Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin in all releases up to and including version 3.8.0. It is limited to multisite WordPress installations where the 'unfiltered_html' capability has been disabled for roles other than administrators. Any site running these plugin versions under those conditions is vulnerable.

Risk and Exploitability

The CVSS base score for this vulnerability is 4.4, indicating moderate risk. The EPSS score is not available, suggesting no public exploitation evidence. The issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with editor privileges or higher on a multisite WordPress installation that has unfiltered_html disabled, making it an insider or compromised‑account scenario. Because the flaw is a stored XSS, an attacker can inject scripts that execute for all visitors to the affected pages.

Generated by OpenCVE AI on June 27, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gutenverse plugin to a version later than 3.8.0, where the stored XSS vulnerability has been addressed.
  • If an update cannot be applied immediately, deactivate or uninstall the Gutenverse plugin until a patched release is available.
  • Ensure that the WordPress 'unfiltered_html' capability is disabled for all non‑administrator roles so that editor users cannot add unfiltered content that could be exploited.

Generated by OpenCVE AI on June 27, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Jegstudio
Jegstudio gutenverse – Wordpress Blocks, Page Builder & Site Editor
Wordpress
Wordpress wordpress
Vendors & Products Jegstudio
Jegstudio gutenverse – Wordpress Blocks, Page Builder & Site Editor
Wordpress
Wordpress wordpress

Sat, 27 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Gutenverse <= 3.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fonts[].font.font.value' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Jegstudio Gutenverse – Wordpress Blocks, Page Builder & Site Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-29T12:23:58.111Z

Reserved: 2026-06-16T13:23:19.459Z

Link: CVE-2026-12399

cve-icon Vulnrichment

Updated: 2026-06-29T12:23:54.212Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T12:15:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')