CVE-2026-2868 - Vulnerability Details

Description

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-05-05

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows authenticated users with contributor‑level access or higher to store malicious scripts in the separatorIconSVG field of the Gutenverse plugin. The stored script is rendered on pages that use the affected block, executing automatically in the victim’s browser. This can lead to defacement, theft of session cookies, authorization escalation, or delivery of malware to site visitors.

Affected Systems

WordPress sites that have installed the Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin version 3.5.3 or earlier. Any user with contributor privileges on those sites can craft the injection. The issue does not affect older or newer plugin versions.

Risk and Exploitability

With a CVSS score of 6.4 the vulnerability is of moderate severity; the EPSS score is not available, and it is not currently listed in CISA KEV. The exploit requires local authenticated access, so attackers must first gain contributor‑level credentials. Once in place, they can embed arbitrary JavaScript that will run automatically when regular visitors view the affected page, enabling phishing, session hijacking or other malicious actions. Because many WordPress sites rely on this plugin, the overall risk is notable for sites that use contributor accounts on the affected plugin version.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jegstudio

Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.5.3

No data.

Vendor Product Confidence Versions

Jegstudio

Gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem

100%

Version	Status	Scheme	Platform
`[0,3.5.3]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Gutenverse plugin to a version newer than 3.5.3.
If an upgrade is not immediately possible, restrict contributor or higher roles from editing the separatorIconSVG field or temporarily disable that feature.
Ensure that the separatorIconSVG input is sanitized and escaped on the input and output sides, for example by using WordPress sanitization functions such as wp_strip_all_tags or wp_kses and by escaping the output with esc_html.

Generated by OpenCVE AI on May 5, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3507804/gutenverse
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79?source=cve

History

Tue, 05 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jegstudio Jegstudio gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem Wordpress Wordpress wordpress
Vendors & Products		Jegstudio Jegstudio gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem Wordpress Wordpress wordpress

Tue, 05 May 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3507804/gutenverse https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Jegstudio Gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-05T02:26:57.635Z

Updated: 2026-05-05T02:26:57.635Z

Reserved: 2026-02-20T14:31:17.028Z

Link: CVE-2026-2868

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T03:15:59.263

Modified: 2026-05-05T03:15:59.263

Link: CVE-2026-2868

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T03:30:14Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object