What the vulnerability does
01Description
The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the `render_content()` method in `class-search-result-title.php` outputs the value of `get_query_var('s')` directly into the page HTML without applying `esc_html()` or any other escaping function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a crafted URL that execute if a user clicks the link, provided the `gutenverse/search-result-title` block is present on the site's search results template.
Explanation of Vulnerability in Simple Terms
02Summary
Gutenverse contains a cross-site scripting (XSS) vulnerability in versions up to 3.4.6. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators. The vulnerability requires user interaction—typically clicking a malicious link or visiting a crafted page. The impact extends beyond the plugin itself to affect the broader site.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers, potentially stealing session tokens or redirecting users.
Potential impact on your site
04Site Impact
Visitors and admins could be redirected, have sessions hijacked, or see fake login forms injected into your site.
Conditions required to exploit
05Prerequisites
No authentication required. Victim must click a link or visit a page containing the malicious payload.
Key dates
06Disclosure timeline
May 27, 2026
CVE published
May 27, 2026
Record updated