CVE-2026-3001

Vulnerability

A reflected cross-site scripting vulnerability exists in the Gutenverse plugin for WordPress in all versions up to and including 3.4.6. The bug resides in the render_content() method of class-search-result-title.php. This method outputs the value of get_query_var('s') (the search query string) directly into the page HTML without applying esc_html() or any other escaping function. The vulnerability is reachable when the gutenverse/search-result-title block is present on the site's search results template.

Exploitation

An unauthenticated attacker can craft a malicious URL containing a JavaScript payload in the s parameter. The attacker then sends this URL to a victim (e.g., via phishing email or a link on another site). If the victim clicks the link and the site uses the Gutenverse search result title block, the payload executes in the victim's browser within the context of the vulnerable WordPress site.

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts (JavaScript) into the page. The attacker can perform actions such as stealing session cookies, redirecting the user to a malicious site, or modifying page content. The attack is reflected and requires user interaction—the victim must click the crafted link. No authentication is needed to trigger the vulnerable code path.

Mitigation

The patch is included in version 3.4.7 of the Gutenverse plugin. The fix applies esc_html() to the search query value before output. Users should update to version 3.4.7 or later immediately. For sites that cannot update, the affected block (gutenverse/search-result-title) can be removed from the search results template as a workaround [1].