CVE-2026-2948 - Vulnerability Details

Description

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Published: 2026-05-05

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Gutenverse plugin for WordPress contains a Server‑Side Request Forgery flaw in its import_images() function. An authenticated user with contributor-level access or higher can supply an arbitrary URL to the imageUrl field, causing the plugin to initiate a request from the web server to any chosen destination. This allows the attacker to read data from internal services, and in some cases to send write requests that may alter data or configurations on those services.

Affected Systems

The vulnerability affects the Jegstudio Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin in all releases up to and including version 3.5.3. Any WordPress site installing a vulnerable version of this plugin is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. Because the attack requires only contributor or higher privileges within the WordPress installation, the likelihood of exploitation is non‑trivial for compromised or poorly secured user accounts. The flaw does not directly expose external services, yet it can be used to query or modify internal resources when the plugin’s server environment has network access to those resources. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the combination of authenticated access and the ability to target internal hosts makes remediation a priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jegstudio

Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.5.3

No data.

Vendor Product Confidence Versions

Jegstudio

Gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem

100%

Version	Status	Scheme	Platform
`[0,3.5.3]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Gutenverse plugin to a version released after 3.5.3 that removes the SSRF vector
If an update is not immediately possible, disable or tightly restrict the import_images() functionality for contributor and higher roles, or remove the imageUrl handling code entirely
Deploy network segmentation or firewall rules that block outbound requests from the WordPress server to internal services, unless explicitly required for legitimate operation

Generated by OpenCVE AI on May 5, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3507804/gutenverse
https://www.wordfence.com/threat-intel/vulnerabilities/id/ac909a4b-d949-42eb-871a-963bc6242c12?source=cve

History

Tue, 05 May 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jegstudio Jegstudio gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem Wordpress Wordpress wordpress
Vendors & Products		Jegstudio Jegstudio gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem Wordpress Wordpress wordpress

Tue, 05 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title		Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'
Weaknesses		CWE-918
References		https://plugins.trac.wordpress.org/changeset/3507804/gutenverse https://www.wordfence.com/threat-intel/vulnerabilities/id/ac909a4b-d949-42eb-871a-963bc6242c12?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Jegstudio Gutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-05T03:37:37.872Z

Updated: 2026-05-05T03:37:37.872Z

Reserved: 2026-02-21T18:56:55.447Z

Link: CVE-2026-2948

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T04:16:09.120

Modified: 2026-05-05T04:16:09.120

Link: CVE-2026-2948

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T05:30:16Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object