CVE-2026-56040
Deferred Deferred - Pending Action
Unauthenticated XSS in Gutenverse Form

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Unauthenticated Cross Site Scripting (XSS) in Gutenverse Form <= 2.4.7 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-56040
EUVD
EUVD-2026-39702
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack gutenverse_form to 2.4.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is an Unauthenticated Cross Site Scripting (XSS) issue in the Gutenverse Form WordPress plugin versions 2.4.7 and below.

It allows attackers to inject malicious scripts into websites using the plugin, which then execute when visitors access the affected site.

Exploitation requires user interaction, such as clicking a malicious link or submitting a form.

This vulnerability has a CVSS score of 7.1, indicating a medium severity level.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website visitors' browsers.

Such scripts can steal sensitive information, hijack user sessions, or perform actions on behalf of users without their consent.

Because the attack requires user interaction, users might be tricked into clicking malicious links or submitting forms that trigger the exploit.

If your site uses the vulnerable plugin version, it is important to update to version 2.5.0 or later to mitigate this risk.

Detection Guidance

This vulnerability affects WordPress Gutenverse Form Plugin versions 2.4.7 and below, allowing Cross Site Scripting (XSS) attacks via malicious script injection.

Detection can involve checking the installed plugin version to confirm if it is 2.4.7 or lower.

  • Use WP-CLI to check the Gutenverse Form plugin version: wp plugin list --status=active
  • Look for suspicious input or script injection attempts in web server logs or application logs.
  • Monitor HTTP requests for unusual parameters or payloads that could indicate attempted XSS exploitation.
Mitigation Strategies

The primary immediate mitigation is to update the Gutenverse Form plugin to version 2.5.0 or later, which contains the fix for this vulnerability.

Until the update can be applied, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability.

  • Apply the Patchstack mitigation rule to block malicious requests.
  • Restrict or monitor user inputs on forms to prevent injection of malicious scripts.
  • Educate users to avoid clicking suspicious links or submitting untrusted forms.
Compliance Impact

The vulnerability allows attackers to inject malicious scripts into websites, which can lead to unauthorized access or manipulation of user data. Such security weaknesses can potentially result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and attacks.

Specifically, an unauthenticated Cross Site Scripting (XSS) vulnerability may expose users to data theft or session hijacking, thereby compromising confidentiality and integrity requirements mandated by these regulations.

Therefore, failure to patch this vulnerability in Gutenverse Form plugin versions 2.4.7 and below could increase the risk of regulatory violations related to data security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart