CVE-2025-5234: 
WordPress vulnerability analysis and mitigation

The Gutenverse News plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-5234) discovered on June 18, 2025 and publicly disclosed on June 19, 2025. The vulnerability affects all versions up to and including 1.0.4 of the plugin (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping of the 'elementId' parameter in the class-grab.php file. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating it requires low attack complexity and privileged access (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

The vulnerability has been patched in version 2.0.0 of the Gutenverse News plugin. The update includes fixes for the vulnerability in the elementId parameter and other security improvements. Users are strongly advised to update to version 2.0.0 or later (WordPress Plugin).