PT-2026-43544 · WordPress · Gutenverse
Os
+1
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-3001
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Gutenverse versions prior to 3.4.7
Description
The plugin is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing scripts to be executed in the victim's browser. The issue occurs because the
render content() function in class-search-result-title.php outputs the value of the s parameter via get query var('s') directly into the HTML without using esc html() or other escaping functions. Unauthenticated attackers can inject arbitrary web scripts through a crafted URL, which execute when a user clicks the link, provided the gutenverse/search-result-title block is active on the search results template.Recommendations
Update to a version later than 3.4.6.
As a temporary workaround, remove the
gutenverse/search-result-title block from the site's search results template to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gutenverse