Description
The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor WordPress plugin. Versions 3.5.5 and earlier allow an attacker with contributor‑level or higher access to embed malicious scripts within a block’s HTML. When a user opens the affected page, the stored script executes in the user’s browser, enabling data theft or session hijacking. This aligns with CWE‑79, a classic client‑side injection flaw.

Affected Systems

WordPress sites running the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin with a version of 3.5.5 or older are affected. The plugin is listed as gutentor. Any site using this plugin can be impacted if it has not been upgraded beyond the stated vulnerability window.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score of less than 1% suggests a very low exploitation probability at present, and the vulnerability is not catalogued in CISA KEV. Exploitation requires an authenticated user with contributor privileges or higher; thus an attacker must first gain legitimate access or social engineering a contributor. No publicly disclosed exploits are reported, making the current risk moderate but present for actively used WordPress installations.

Generated by OpenCVE AI on April 28, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gutentor to the latest version (3.5.6 or newer) to remove the input sanitization flaw.
  • If immediate update is not possible, limit or remove Contributor‑level content editing permissions to block creation and editing and enforce a strong Content‑Security‑Policy to mitigate script execution.
  • Check existing Gutentor blocks for suspicious code and delete or clean them manually; consider re‑exporting / re‑importing the site’s block library to ensure no residual payloads remain.

Generated by OpenCVE AI on April 28, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gutentor
Gutentor gutentor – Gutenberg Blocks – Page Builder For Gutenberg Editor
Wordpress
Wordpress wordpress
Vendors & Products Gutentor
Gutentor gutentor – Gutenberg Blocks – Page Builder For Gutenberg Editor
Wordpress
Wordpress wordpress

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gutentor Gutentor – Gutenberg Blocks – Page Builder For Gutenberg Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-23T12:51:56.328Z

Reserved: 2026-02-21T20:23:25.224Z

Link: CVE-2026-2951

cve-icon Vulnrichment

Updated: 2026-04-23T12:51:51.993Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T03:16:16.360

Modified: 2026-04-23T14:28:55.557

Link: CVE-2026-2951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses