Description
Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw that affects WordPress.com’s Gutenverse Form plugin versions up to 2.4.7. The flaw allows the injection of malicious script content into form fields, which is then rendered on the site; the impact is the execution of that code in visitors’ browsers. The extent of this impact is inferred from the typical behavior of XSS vulnerabilities, as the description does not explicitly state consequences such as session hijacking or phishing.

Affected Systems

Affected are WordPress.com installations running the Gutenverse Form plugin through version 2.4.7 inclusive; any site using an older release of the plugin is vulnerable, while upgrades to 2.5.0 or later are considered safe.

Risk and Exploitability

This vulnerability carries a CVSS base score of 7.1, classifying it as high severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description of unauthenticated XSS: an attacker can exploit the plugin by submitting payloads that are not sanitized, and because the flaw operates on data submitted by any visitor, compromise can occur on a per‑visit basis or through stored payloads that persist on the site.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Remediation

Vendor Solution

Update the WordPress Gutenverse Form Plugin to the latest available version (at least 2.5.0).

OpenCVE Recommended Actions

  • Update the WordPress Gutenverse Form Plugin to at least version 2.5.0.
  • Implement strict input sanitization and output encoding to mitigate XSS in compliance with CWE‑79 best practices.
  • Scan existing site content for any injected script artefacts that may have been stored before the patch and remove them.

Generated by OpenCVE AI on June 26, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions.
Title WordPress Gutenverse Form plugin <= 2.4.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:47:42.331Z

Reserved: 2026-06-18T14:37:40.347Z

Link: CVE-2026-56040

cve-icon Vulnrichment

Updated: 2026-06-26T15:47:37.671Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')