CVE-2026-3001 jegstudio CVE debrief

Who should care

WordPress site administrators using the Gutenverse plugin, particularly those with search functionality enabled and the search-result-title block active on search templates. Security teams monitoring WordPress plugin vulnerabilities and managing web application firewall policies.

Technical summary

The Gutenverse plugin for WordPress versions up to and including 3.4.6 contains a reflected XSS vulnerability in the search-result-title block. The `render_content()` method in `includes/block/class-search-result-title.php` outputs `get_query_var('s')` directly without escaping, allowing attackers to inject scripts via the 's' URL parameter. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, scoring 6.1 (Medium). Exploitation requires user interaction (clicking a crafted link) and presence of the vulnerable block on the search results template.

Defensive priority

medium

Recommended defensive actions

• Update the Gutenverse plugin to a version later than 3.4.6 as soon as a patched release is available
• Verify that the `gutenverse/search-result-title` block is not used on search results templates, or temporarily remove it if updates are not immediately feasible
• Implement Content Security Policy (CSP) headers to mitigate the impact of XSS vulnerabilities
• Review web application firewall (WAF) rules to detect and block reflected XSS attempts targeting the search parameter
• Audit site logs for suspicious requests containing HTML or JavaScript payloads in the 's' search parameter

Evidence notes

The vulnerability was reported by Wordfence and is documented in the Wordfence Threat Intelligence database. Source code analysis confirms the vulnerable code path at line 29 of `class-search-result-title.php`, where `get_query_var('s')` is output without `esc_html()` or equivalent escaping. A patch has been committed to the plugin repository as changeset 3468383.

Official resources