CVE-2026-2868

Name of the Vulnerable Software and Affected Versions Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem versions prior to 3.5.4

Description Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting. This is achieved by injecting arbitrary web scripts through the separatorIconSVG parameter, which execute when a user visits the affected page.

Recommendations Update to a version newer than 3.5.3. Avoid using the separatorIconSVG parameter until the update is applied.