VYPR
Medium severity6.1NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-3001

CVE-2026-3001

Description

The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the render_content() method in class-search-result-title.php outputs the value of get_query_var('s') directly into the page HTML without applying esc_html() or any other escaping function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a crafted URL that execute if a user clicks the link, provided the gutenverse/search-result-title block is present on the site's search results template.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

1