WP-Safety
CVE-2026-2924

Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.4.7
Patched in
1d
Time to patch

Description

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.4.6
PublishedApril 3, 2026
Last updatedApril 4, 2026
Affected plugingutenverse

What Changed in the Fix

Changes introduced in v3.4.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.4.6
Browse source Download .zip
Patched v3.4.7
Browse source Download .zip
Research Plan
Unverified

This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Gutenverse** plugin (CVE-2026-2924). The vulnerability is accessible to authenticated users with **Contributor** permissions or higher via the `imageLoad` block attribute. ### 1. Vulnerability Summar…

Show full research plan

This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the Gutenverse plugin (CVE-2026-2924). The vulnerability is accessible to authenticated users with Contributor permissions or higher via the imageLoad block attribute.

1. Vulnerability Summary

The Gutenverse plugin for WordPress fails to properly sanitize and escape the imageLoad attribute used in one of its Gutenberg blocks (likely the Image Box or a related image block). Because Gutenberg block attributes are stored as JSON-encoded data within the post_content, a Contributor-level user can inject a malicious payload into this attribute. When the post is rendered on the frontend or previewed by an administrator, the payload is executed in the context of the victim's session.

2. Attack Vector Analysis

  • Endpoint: /wp-json/wp/v2/posts (WordPress REST API) or the post.php admin interface.
  • Vulnerable Parameter (Attribute): imageLoad within a Gutenverse block (e.g., gutenverse/image-box).
  • Authentication: Required (Contributor+).
  • Preconditions: The Gutenverse plugin must be active. The attacker must be able to create or edit a post.

3. Code Flow

  1. Input: A Contributor creates or updates a post containing a Gutenverse Gutenberg block. The block markup looks like this: <!-- wp:gutenverse/image-box {"imageLoad":"[PAYLOAD]"} /-->.
  2. Storage: WordPress saves the raw block markup into the post_content column of the wp_posts table.
  3. Processing: When the post is viewed, WordPress parses the block. The Gutenverse plugin's PHP rendering logic (likely a render_callback) retrieves the imageLoad attribute from the $attributes array.
  4. Sink: The plugin echoes the value of imageLoad into the HTML output (likely as an attribute or part of a script initialization) without calling esc_attr(), esc_html(), or wp_kses().
  5. Execution: The browser interprets the injected script, resulting in XSS.

4. Nonce Acquisition Strategy

To update a post via the REST API as a Contributor, a REST API Nonce is required.

  1. Navigate: Use browser_navigate to go to the WordPress Dashboard (/wp-admin/index.php) as the Contributor user.
  2. Extract: Use browser_eval to extract the nonce from the global wpApiSettings object:
    • browser_eval("window.wpApiSettings?.nonce")
  3. Alternative: If the REST API is restricted, the nonce can be found in the post.php editor page under the variable _wpnonce.

5. Exploitation Strategy

The goal is to inject a payload into the imageLoad attribute of a Gutenverse block.

Step-by-step Plan:

  1. Identify Block Name: Based on assets/css/frontend/image-box.css, the most likely block slug is gutenverse/image-box.
  2. Prepare Payload: Use a standard attribute breakout payload.
    • Payload: "><script>alert(document.domain)</script>
    • JSON-safe version: \"><script>alert(document.domain)</script>
  3. Create/Update Post: Send a POST request to the REST API to create a new post with the malicious block content.

Request Details:

  • Method: POST
  • URL: http://[TARGET]/wp-json/wp/v2/posts
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: [EXTRACTED_NONCE]
  • Body:
    {
  "title": "XSS Test",
  "status": "draft",
  "content": "<!-- wp:gutenverse/image-box {\"imageLoad\": \"\\\"><script>alert(document.domain)</script>\"} /-->"
}

6. Test Data Setup

  1. User: Create a user with the contributor role.
  2. Plugin: Ensure Gutenverse (slug: gutenverse) is installed and activated.
  3. Post: (Optional) Identify an existing post ID that the contributor has permission to edit.

7. Expected Results

  1. The REST API should return a 201 Created or 200 OK response.
  2. When an Administrator views the "All Posts" screen and clicks "Preview" on the contributor's draft, an alert box showing the document domain should appear.
  3. The HTML source code of the rendered page should contain the raw payload: <div ... data-image-load=""><script>alert(document.domain)</script>" ...> (or similar placement).

8. Verification Steps

  1. Check DB: Use wp post get [ID] --field=content to verify the payload is stored in the database exactly as sent.
  2. Check Frontend: Use the http_request tool to fetch the preview URL or the published post URL and grep for the script:
    • http_request(url="http://[TARGET]/?p=[ID]&preview=true", method="GET")
    • Verify the existence of <script>alert(document.domain)</script>.

9. Alternative Approaches

  • Different Blocks: If gutenverse/image-box is not the correct slug, check for other image-related blocks by running: wp eval "print_r(WP_Block_Type_Registry::get_instance()->get_all_registered());" | grep gutenverse.
  • Attribute Context: If the imageLoad attribute is rendered inside a JavaScript string (e.g., initBlock({load: 'VALUE'})), change the payload to: ');alert(1);//.
  • Classic Editor: If the block editor is disabled, use the standard wp-admin/post.php interface with the block markup in the raw text editor.
  • Bypass Nonce: If nonces are strictly enforced and the REST API is unavailable, the Contributor can simply use the standard WordPress Dashboard UI to create a post and insert a "Custom HTML" block, though the vulnerability specifically targets the imageLoad attribute of a Gutenverse block.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Gutenverse plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'imageLoad' block attribute in versions up to 3.4.6. This allows authenticated users with Contributor-level permissions or higher to inject malicious JavaScript into posts, which executes when a user views or previews the affected content.

Vulnerable Code

/* The vulnerability exists because the 'imageLoad' attribute within Gutenverse blocks 
   (such as gutenverse/image-box) is rendered without proper sanitization or escaping. */

<!-- wp:gutenverse/image-box {"imageLoad":"[MALICIOUS_PAYLOAD]"} /-->

--- 

/* While the registration is in minified JS, the block structure demonstrates the sink */
/* assets/js/blocks.js */
// The imageLoad attribute is parsed and output to the DOM, often as a data attribute 
// or part of a script initialization, without being passed through esc_attr or similar.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/gutenverse/3.4.6/assets/css/blocks.css /home/deploy/wp-safety.org/data/plugin-versions/gutenverse/3.4.7/assets/css/blocks.css
--- /home/deploy/wp-safety.org/data/plugin-versions/gutenverse/3.4.6/assets/css/blocks.css	2026-02-12 06:44:12.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/gutenverse/3.4.7/assets/css/blocks.css	2026-02-24 08:42:58.000000000 +0000
@@ -1 +1 @@
-@charset "UTF-8";.flatpickr-calendar{animation:none;background:transparent;background:#fff;border:0;border-radius:5px;box-shadow:1px 0 0 #e6e6e6,-1px 0 0 #e6e6e6,0 1px 0 #e6e6e6,0 -1px 0 #e6e6e6,0 3px 13px rgba(0,0,0,.08);box-sizing:border-box;direction:ltr;display:none;font-size:14px;line-height:24px;opacity:0;padding:0;position:absolute;text-align:center;touch-action:manipulation;visibility:hidden;width:307.875px}... (truncated)

Exploit Outline

1. Authenticate to the WordPress site as a Contributor or higher. 2. Obtain a REST API nonce from the WordPress dashboard (e.g., via `window.wpApiSettings.nonce`). 3. Send a POST request to `/wp-json/wp/v2/posts` to create or update a post. 4. In the request body, include a Gutenverse block (e.g., `gutenverse/image-box`) within the `content` field. 5. Set the `imageLoad` attribute of that block to an XSS payload, such as: `\"><script>alert(document.domain)</script>`. 6. Save the post as a draft or publish it. When an administrator or visitor views the post, the script in the `imageLoad` attribute will be rendered into the page source and execute.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/950f7493-4ccb-4a8a-9cc2-23b9ba3a9cd0?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database