WordPress Plugin Vulnerabilities

Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem < 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'

Description

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
gutenverse
Fixed in 3.6.0

References

CVE
CVE-2026-2868
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (Medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
2f990817-e6f0-4fd7-8a65-c665b2ed42a3

Timeline

Publicly Published
2026-05-04 (about 10 days ago)
Added
2026-05-04 (about 10 days ago)
Last Updated
2026-05-05 (about 10 days ago)

Other

Published
Title
Published
2023-05-30
Title
Woocommerce Order address Print <= 3.2 - Reflected XSS
Published
2025-04-16
Title
Responsive Blocks < 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-06
Title
Newsletter < 7.9.0 - Contributor+ Stored XSS
Published
2025-09-22
Title
Plugin Security Scanner <= 2.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-09-23
Title
Garden Gnome Package < 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting