Approved changes feed: RSS · Atom

cpe:2.3:a:jegstudio:gutenverse_–_ultimate_wordpress_fse_blocks_addons_&_ecosystem:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorJegstudio (7e5068a5-768f-5183-b7a7-f81ad90102a9)
ProductGutenverse – Ultimate Wordpress Fse Blocks Addons & Ecosystem (1afe1363-ab02-58fc-ac50-f119f7da0b35)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-2948 vulnerable 2026-06-08 07:55:17.869054 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'
MEDIUM (6.4)
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-05-05T03:37:37.872Z
Updated: 2026-05-06T14:04:31.871Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-2924 vulnerable 2026-06-08 07:55:17.836759 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'
MEDIUM (6.4)
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-04T02:26:20.483Z
Updated: 2026-04-08T17:09:59.366Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-2868 vulnerable 2026-06-08 07:55:17.763405 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'
MEDIUM (6.4)
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-05T02:26:57.635Z
Updated: 2026-05-06T14:01:53.941Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-7727 vulnerable 2026-06-08 07:45:18.054268 Gutenverse <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Fun Fact Blocks
MEDIUM (6.4)
The Gutenverse plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Fun Fact blocks in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-06T06:38:39.516Z
Updated: 2026-04-08T17:01:36.684Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-2893 vulnerable 2026-06-08 07:16:58.605679 Gutenverse <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via countdown Block
MEDIUM (6.4)
The Gutenverse – Ultimate Block Addons and Page Builder for Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's countdown Block in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-29T06:37:46.803Z
Updated: 2026-04-08T16:58:35.221Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.