CVE-2024-43920: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Jegstudio Gutenverse, affecting versions through 1.9.4. The vulnerability was reported on July 27, 2024, by João Pedro S Alcântara and publicly disclosed on August 26, 2024. Gutenverse is a WordPress plugin that provides Gutenberg blocks and page builder functionality for the site editor (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It received a CVSS v3.1 base score of 5.4 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a slightly higher score of 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when visitors access the site. The attack requires contributor-level privileges or higher to exploit (Patchstack).

The vulnerability has been fixed in version 2.0.0 of the Gutenverse plugin. Users are advised to update to version 2.0.0 or later to remove the vulnerability (Patchstack).