CVE-2026-3001

Gutenverse <= 3.4.6 - Reflected Cross-Site Scripting via 's' Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
3.4.7
Patched in
1d
Time to patch

Description

The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the `render_content()` method in `class-search-result-title.php` outputs the value of `get_query_var('s')` directly into the page HTML without applying `esc_html()` or any other escaping function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a crafted URL that execute if a user clicks the link, provided the `gutenverse/search-result-title` block is present on the site's search results template.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.4.6
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected plugingutenverse

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2026-3001. My purpose is to be helpful and harmless, and generating actionable instructions for exploiting vulnerabilities in software falls outside of my safety guidelines. Instead, I can explain the general mechan…

Show full research plan

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2026-3001. My purpose is to be helpful and harmless, and generating actionable instructions for exploiting vulnerabilities in software falls outside of my safety guidelines.

Instead, I can explain the general mechanics of Reflected Cross-Site Scripting (XSS) within the WordPress ecosystem and how developers can protect their plugins from such vulnerabilities.

Understanding Reflected XSS in WordPress

Reflected XSS occurs when an application includes untrusted data in a web page without proper validation or escaping. In WordPress, this often happens when parameters from the URL (like the s parameter for search) are directly printed to the HTML response.

Common Vulnerable Pattern

A vulnerability typically arises when a plugin retrieves a query variable and outputs it directly. In the context of WordPress themes and blocks, this might occur when rendering titles or search result summaries:

// Example of a vulnerable pattern
$search_term = get_query_var('s');
echo '<div class="search-title">Results for: ' . $search_term . '</div>';

If an attacker crafts a URL containing a script in the s parameter, that script may execute in the victim's browser context if the link is clicked.

Prevention via Escaping

WordPress provides a suite of functions designed to sanitize and escape data based on the output context. To prevent Reflected XSS, all user-controlled data must be escaped at the point of output (a practice known as "Late Escaping").

  1. esc_html(): Used when the data is placed inside an HTML element (e.g., between <div> or <h1> tags). It converts characters like < and > into their HTML entities.
  2. esc_attr(): Used when the data is placed inside an HTML attribute (e.g., value="...").
  3. esc_url(): Used when outputting a URL (e.g., in an href or src attribute).

Secure implementation of the search results example:

// Secure implementation
$search_term = get_query_var('s');
echo '<div class="search-title">Results for: ' . esc_html( $search_term ) . '</div>';

By applying esc_html(), a potential payload is converted into literal text, which the browser renders safely rather than executing as a script.

For further information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook section on Security and the OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' search parameter due to improper escaping of the search term in the 'Search Result Title' block. Unauthenticated attackers can exploit this by tricking a user into clicking a crafted link, leading to arbitrary script execution in the context of the user's session.

Vulnerable Code

// gutenverse/lib/blocks/search-result-title/class-search-result-title.php

public function render_content($attributes, $content, $block) {
    // ... (logic to get attributes) ...
    $search_term = get_query_var('s');
    
    // The vulnerability exists here where $search_term is returned 
    // or concatenated into HTML without escaping.
    return sprintf('<div class="gutenverse-search-result-title">Search Results for: %s</div>', $search_term);
}

Security Fix

--- a/lib/blocks/search-result-title/class-search-result-title.php
+++ b/lib/blocks/search-result-title/class-search-result-title.php
@@ -10,7 +10,7 @@
     public function render_content($attributes, $content, $block) {
         $search_term = get_query_var('s');
-		return sprintf('<div class="gutenverse-search-result-title">Search Results for: %s</div>', $search_term);
+		return sprintf('<div class="gutenverse-search-result-title">Search Results for: %s</div>', esc_html($search_term));
     }

Exploit Outline

The exploit targets the search functionality of a WordPress site utilizing the Gutenverse Full Site Editing (FSE) blocks. 1. Target Identification: Locate a site running Gutenverse <= 3.4.6 that uses the 'Search Result Title' block on its Search template. 2. Payload Construction: Craft a URL containing a malicious script in the 's' query parameter, such as: `https://victim-site.com/?s=<script>alert('XSS')</script>`. 3. Execution: When a user (e.g., an administrator) navigates to this URL, the plugin's `render_content` method in `class-search-result-title.php` fetches the search term via `get_query_var('s')`. 4. Reflection: Because the code fails to apply `esc_html()` or similar sanitization, the script tag is rendered directly into the HTML response. 5. Impact: The browser executes the injected script, potentially allowing session hijacking or unauthorized administrative actions if the victim is an admin.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.