Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor by gutentor

    CVE-2026-2951 (GCVE-0-2026-2951)

    Vulnerability from nvd – Published: 2026-04-23 02:25 – Updated: 2026-04-23 12:51
    VLAI
    Title
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML
    Summary
    The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Muhammad Yudha - DJ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2951",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T12:49:27.084318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T12:51:56.328Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.5.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Yudha - DJ"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T02:25:21.258Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c639b8-35f5-4eaf-a663-1adab3ba2a16?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3495930/gutentor"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-22T13:44:42.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor \u003c= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2951",
        "datePublished": "2026-04-23T02:25:21.258Z",
        "dateReserved": "2026-02-21T20:23:25.224Z",
        "dateUpdated": "2026-04-23T12:51:56.328Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-4685 (GCVE-0-2025-4685)

    Vulnerability from nvd – Published: 2025-07-21 07:23 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
    Summary
    The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4685",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-21T15:17:25.235751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-21T15:17:44.800Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:32.370Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e9ec6af-fa51-4e14-abf6-450c1ca6f8d5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3320485/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-07-20T18:48:55.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor \u003c= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-4685",
        "datePublished": "2025-07-21T07:23:24.354Z",
        "dateReserved": "2025-05-14T12:23:47.204Z",
        "dateUpdated": "2026-04-08T16:35:32.370Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5647 (GCVE-0-2024-5647)

    Vulnerability from nvd – Published: 2025-07-03 09:22 – Updated: 2026-04-08 17:27
    VLAI
    Title
    Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library
    Summary
    Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    blossomthemes BlossomThemes Social Feed Affected: 0 , ≤ 2.0.5 (semver)
    Create a notification for this product.
    sayful Carousel Slider Affected: 0 , ≤ 2.2.14 (semver)
    Create a notification for this product.
    divisupreme Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder Affected: 0 , ≤ 2.5.52 (semver)
    Create a notification for this product.
    robosoft Robo Gallery – Photo & Image Slider Affected: 0 , ≤ 3.2.22 (semver)
    Create a notification for this product.
    gutentor Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor Affected: 0 , ≤ 3.4.9 (semver)
    Create a notification for this product.
    oceanwp OceanWP Affected: 0 , ≤ 3.6.0 (semver)
    Create a notification for this product.
    thehappymonster Happy Addons for Elementor Affected: 0 , ≤ 3.12.2 (semver)
    Create a notification for this product.
    badhonrocks Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme Affected: 0 , ≤ 4.0.5 (semver)
    Create a notification for this product.
    Elegant Themes Divi Builder Affected: 0 , ≤ 4.27.1 (semver)
    Create a notification for this product.
    Elegant Themes Divi Affected: 0 , ≤ 4.27.1 (semver)
    Create a notification for this product.
    Elegant Themes Divi Extra Affected: 0 , ≤ 4.27.1 (semver)
    Create a notification for this product.
    boldthemes Bold Page Builder Affected: 0 , ≤ 5.1.2 (semver)
    Create a notification for this product.
    wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets Affected: 0 , ≤ 6.0.4 (semver)
    Create a notification for this product.
    gn_themes WP Shortcodes Plugin — Shortcodes Ultimate Affected: 0 , ≤ 7.4.2 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5647",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-03T12:59:42.727059Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-03T13:17:30.817Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BlossomThemes Social Feed",
              "vendor": "blossomthemes",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Carousel Slider",
              "vendor": "sayful",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Supreme Modules Lite \u2013 Divi Theme, Extra Theme and Divi Builder",
              "vendor": "divisupreme",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.52",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Robo Gallery \u2013 Photo \u0026 Image Slider",
              "vendor": "robosoft",
              "versions": [
                {
                  "lessThanOrEqual": "3.2.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "OceanWP",
              "vendor": "oceanwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Happy Addons for Elementor",
              "vendor": "thehappymonster",
              "versions": [
                {
                  "lessThanOrEqual": "3.12.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi Torque Lite \u2013 Divi Theme, Divi Builder \u0026 Extra Theme",
              "vendor": "badhonrocks",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi Builder",
              "vendor": "Elegant Themes",
              "versions": [
                {
                  "lessThanOrEqual": "4.27.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi",
              "vendor": "Elegant Themes",
              "versions": [
                {
                  "lessThanOrEqual": "4.27.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi Extra",
              "vendor": "Elegant Themes",
              "versions": [
                {
                  "lessThanOrEqual": "4.27.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Bold Page Builder",
              "vendor": "boldthemes",
              "versions": [
                {
                  "lessThanOrEqual": "5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets",
              "vendor": "wpdevteam",
              "versions": [
                {
                  "lessThanOrEqual": "6.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate",
              "vendor": "gn_themes",
              "versions": [
                {
                  "lessThanOrEqual": "7.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:25.153Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dae80fc2-3076-4a32-876d-5df1c62de9bd?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/vendor/magnific-popup/magnific-popup.js"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/lib-view/magnific-popup/jquery.magnific-popup.js"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/trunk/content_elements_misc/js/jquery.magnific-popup.js"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3154460/happy-elementor-addons"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153781/bold-page-builder"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/js/robo_gallery.js#L56"
            },
            {
              "url": "https://www.elegantthemes.com/api/changelog/divi.txt"
            },
            {
              "url": "https://www.elegantthemes.com/api/changelog/extra.txt"
            },
            {
              "url": "https://www.elegantthemes.com/api/changelog/divi-builder.txt"
            },
            {
              "url": "https://themes.trac.wordpress.org/changeset/244604/oceanwp"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153700/essential-addons-for-elementor-lite"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3184626/addons-for-divi"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3201991/robo-gallery"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3166204/carousel-slider"
            },
            {
              "url": "https://github.com/dimsemenov/Magnific-Popup/releases/tag/1.2.0"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-05T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-07-02T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5647",
        "datePublished": "2025-07-03T09:22:19.308Z",
        "dateReserved": "2024-06-04T21:31:54.009Z",
        "dateUpdated": "2026-04-08T17:27:25.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10178 (GCVE-0-2024-10178)

    Vulnerability from nvd – Published: 2024-12-05 04:23 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
    Summary
    The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T11:05:51.545950Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T11:13:25.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s Countdown widget in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:31.888Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17ecebfd-b07f-415f-892f-e069ab84031a?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/gutentor/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3199233%40gutentor%2Ftrunk\u0026old=3179242%40gutentor%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-12-04T16:20:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor \u003c= 3.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10178",
        "datePublished": "2024-12-05T04:23:53.349Z",
        "dateReserved": "2024-10-18T21:47:17.751Z",
        "dateUpdated": "2026-04-08T16:37:31.888Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2951 (GCVE-0-2026-2951)

    Vulnerability from cvelistv5 – Published: 2026-04-23 02:25 – Updated: 2026-04-23 12:51
    VLAI
    Title
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML
    Summary
    The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Muhammad Yudha - DJ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2951",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T12:49:27.084318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T12:51:56.328Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.5.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Yudha - DJ"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-23T02:25:21.258Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c639b8-35f5-4eaf-a663-1adab3ba2a16?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3495930/gutentor"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-22T13:44:42.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor \u003c= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2951",
        "datePublished": "2026-04-23T02:25:21.258Z",
        "dateReserved": "2026-02-21T20:23:25.224Z",
        "dateUpdated": "2026-04-23T12:51:56.328Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-4685 (GCVE-0-2025-4685)

    Vulnerability from cvelistv5 – Published: 2025-07-21 07:23 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
    Summary
    The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4685",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-21T15:17:25.235751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-21T15:17:44.800Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:32.370Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e9ec6af-fa51-4e14-abf6-450c1ca6f8d5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3320485/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-07-20T18:48:55.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor \u003c= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-4685",
        "datePublished": "2025-07-21T07:23:24.354Z",
        "dateReserved": "2025-05-14T12:23:47.204Z",
        "dateUpdated": "2026-04-08T16:35:32.370Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5647 (GCVE-0-2024-5647)

    Vulnerability from cvelistv5 – Published: 2025-07-03 09:22 – Updated: 2026-04-08 17:27
    VLAI
    Title
    Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library
    Summary
    Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    blossomthemes BlossomThemes Social Feed Affected: 0 , ≤ 2.0.5 (semver)
    Create a notification for this product.
    sayful Carousel Slider Affected: 0 , ≤ 2.2.14 (semver)
    Create a notification for this product.
    divisupreme Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder Affected: 0 , ≤ 2.5.52 (semver)
    Create a notification for this product.
    robosoft Robo Gallery – Photo & Image Slider Affected: 0 , ≤ 3.2.22 (semver)
    Create a notification for this product.
    gutentor Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor Affected: 0 , ≤ 3.4.9 (semver)
    Create a notification for this product.
    oceanwp OceanWP Affected: 0 , ≤ 3.6.0 (semver)
    Create a notification for this product.
    thehappymonster Happy Addons for Elementor Affected: 0 , ≤ 3.12.2 (semver)
    Create a notification for this product.
    badhonrocks Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme Affected: 0 , ≤ 4.0.5 (semver)
    Create a notification for this product.
    Elegant Themes Divi Builder Affected: 0 , ≤ 4.27.1 (semver)
    Create a notification for this product.
    Elegant Themes Divi Affected: 0 , ≤ 4.27.1 (semver)
    Create a notification for this product.
    Elegant Themes Divi Extra Affected: 0 , ≤ 4.27.1 (semver)
    Create a notification for this product.
    boldthemes Bold Page Builder Affected: 0 , ≤ 5.1.2 (semver)
    Create a notification for this product.
    wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets Affected: 0 , ≤ 6.0.4 (semver)
    Create a notification for this product.
    gn_themes WP Shortcodes Plugin — Shortcodes Ultimate Affected: 0 , ≤ 7.4.2 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5647",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-03T12:59:42.727059Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-03T13:17:30.817Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BlossomThemes Social Feed",
              "vendor": "blossomthemes",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Carousel Slider",
              "vendor": "sayful",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.14",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Supreme Modules Lite \u2013 Divi Theme, Extra Theme and Divi Builder",
              "vendor": "divisupreme",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.52",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Robo Gallery \u2013 Photo \u0026 Image Slider",
              "vendor": "robosoft",
              "versions": [
                {
                  "lessThanOrEqual": "3.2.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "OceanWP",
              "vendor": "oceanwp",
              "versions": [
                {
                  "lessThanOrEqual": "3.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Happy Addons for Elementor",
              "vendor": "thehappymonster",
              "versions": [
                {
                  "lessThanOrEqual": "3.12.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi Torque Lite \u2013 Divi Theme, Divi Builder \u0026 Extra Theme",
              "vendor": "badhonrocks",
              "versions": [
                {
                  "lessThanOrEqual": "4.0.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi Builder",
              "vendor": "Elegant Themes",
              "versions": [
                {
                  "lessThanOrEqual": "4.27.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi",
              "vendor": "Elegant Themes",
              "versions": [
                {
                  "lessThanOrEqual": "4.27.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Divi Extra",
              "vendor": "Elegant Themes",
              "versions": [
                {
                  "lessThanOrEqual": "4.27.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Bold Page Builder",
              "vendor": "boldthemes",
              "versions": [
                {
                  "lessThanOrEqual": "5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets",
              "vendor": "wpdevteam",
              "versions": [
                {
                  "lessThanOrEqual": "6.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate",
              "vendor": "gn_themes",
              "versions": [
                {
                  "lessThanOrEqual": "7.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:25.153Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dae80fc2-3076-4a32-876d-5df1c62de9bd?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/vendor/magnific-popup/magnific-popup.js"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/lib-view/magnific-popup/jquery.magnific-popup.js"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/trunk/content_elements_misc/js/jquery.magnific-popup.js"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3154460/happy-elementor-addons"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153781/bold-page-builder"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/js/robo_gallery.js#L56"
            },
            {
              "url": "https://www.elegantthemes.com/api/changelog/divi.txt"
            },
            {
              "url": "https://www.elegantthemes.com/api/changelog/extra.txt"
            },
            {
              "url": "https://www.elegantthemes.com/api/changelog/divi-builder.txt"
            },
            {
              "url": "https://themes.trac.wordpress.org/changeset/244604/oceanwp"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153700/essential-addons-for-elementor-lite"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3184626/addons-for-divi"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3201991/robo-gallery"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3166204/carousel-slider"
            },
            {
              "url": "https://github.com/dimsemenov/Magnific-Popup/releases/tag/1.2.0"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-05T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-07-02T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5647",
        "datePublished": "2025-07-03T09:22:19.308Z",
        "dateReserved": "2024-06-04T21:31:54.009Z",
        "dateUpdated": "2026-04-08T17:27:25.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10178 (GCVE-0-2024-10178)

    Vulnerability from cvelistv5 – Published: 2024-12-05 04:23 – Updated: 2026-04-08 16:37
    VLAI
    Title
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
    Summary
    The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-05T11:05:51.545950Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-05T11:13:25.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
              "vendor": "gutentor",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s Countdown widget in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:31.888Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17ecebfd-b07f-415f-892f-e069ab84031a?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/gutentor/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3199233%40gutentor%2Ftrunk\u0026old=3179242%40gutentor%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-12-04T16:20:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor \u003c= 3.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10178",
        "datePublished": "2024-12-05T04:23:53.349Z",
        "dateReserved": "2024-10-18T21:47:17.751Z",
        "dateUpdated": "2026-04-08T16:37:31.888Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }