CVE-2026-3001
Deferred Deferred - Pending Action
Reflected XSS in Gutenverse WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the `render_content()` method in `class-search-result-title.php` outputs the value of `get_query_var('s')` directly into the page HTML without applying `esc_html()` or any other escaping function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a crafted URL that execute if a user clicks the link, provided the `gutenverse/search-result-title` block is present on the site's search results template.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3001
EUVD
EUVD-2026-32114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gutenverse gutenverse to 3.4.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Gutenverse plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability in all versions up to and including 3.4.6. This occurs because the plugin does not properly sanitize or escape the input received via the 's' parameter in search queries.

Specifically, the vulnerability exists in the `render_content()` method of the `class-search-result-title.php` file, where the value from `get_query_var('s')` is output directly into the page HTML without using escaping functions like `esc_html()`. This allows an attacker to craft a malicious URL that injects arbitrary web scripts, which execute if a user clicks the link and the `gutenverse/search-result-title` block is present on the search results page.

Impact Analysis

This vulnerability can allow unauthenticated attackers to inject and execute arbitrary scripts in the context of the affected website when a user clicks a crafted URL. This can lead to theft of user credentials, session hijacking, defacement, or redirection to malicious sites.

Because the attack is reflected, it requires user interaction (clicking the malicious link), but the impact can still be significant, especially if users are tricked into clicking such links.

Detection Guidance

This vulnerability involves Reflected Cross-Site Scripting (XSS) via the 's' parameter in the Gutenverse WordPress plugin. Detection typically involves checking for the presence of the vulnerable plugin version (up to 3.4.6) and testing if the 's' parameter in search URLs is improperly sanitized.

You can detect attempts or presence of this vulnerability by monitoring HTTP requests for suspicious or crafted URLs containing script payloads in the 's' parameter.

  • Use web server logs or network monitoring tools to search for URLs with the 's' parameter containing suspicious script tags or JavaScript code.
  • Example command to search Apache logs for suspicious 's' parameter usage: grep -i 's=<script' /var/log/apache2/access.log
  • Use curl or wget to test the plugin by sending crafted URLs with script payloads in the 's' parameter and observe if the response reflects the script without escaping.
Mitigation Strategies

To mitigate this vulnerability, immediately update the Gutenverse plugin to a version later than 3.4.6 where the issue is fixed.

If an update is not immediately possible, consider temporarily disabling the Gutenverse plugin or removing the 'gutenverse/search-result-title' block from your search results template to prevent exploitation.

Additionally, implement Web Application Firewall (WAF) rules to block requests containing suspicious script payloads in the 's' parameter.

Educate users to avoid clicking on suspicious links that may exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3001. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart