Security researchers found a stored cross-site scripting (XSS) flaw in Gutentor. This WordPress page builder plugin has over 100,000 active installations. The vulnerability gets a CVSS score of 5.4 (Medium severity).
CVE-2026-2951: What Is Gutentor?
Gutentor is a popular Gutenberg block builder. It lets users create custom layouts and designs. The plugin extends WordPress block editor capabilities. Many site owners use it for landing pages and content blocks.
CVE-2026-2951: Understanding the Vulnerability
CVE-2026-2951 involves stored XSS through improper input sanitization. The plugin fails to clean user-supplied data properly. An attacker can inject malicious scripts into posts or pages. These scripts execute when other users view the content.
The issue affects Gutentor versions up to 4.0.1. Older versions lack proper escaping on certain block attributes. Contributors and authors can exploit this flaw. They do not need special admin privileges to do so.
Impact on WordPress Sites
Stored XSS can lead to serious consequences. Attackers can steal session cookies from site visitors. They can redirect users to malicious websites. Attackers may also deface the affected site entirely.
The CVSS 5.4 score reflects the complexity of exploitation. However, the stored nature makes it dangerous. Content remains infected until someone removes it manually. This creates ongoing risk for every site visitor.
Who Should Take Action
Anyone running Gutentor on their WordPress site needs to act. Check your current plugin version immediately. The fix came in version 4.0.2 and later releases. Update to the latest version without delay.
How to Protect Your Site
Follow these steps to stay safe from CVE-2026-2951. Update Gutentor to version 4.0.2 or higher. Review user roles with publishing permissions. Audit existing content for suspicious code. Use a security plugin to monitor for XSS attempts.
Keep all plugins updated as part of your routine. Enable automatic updates where possible. This reduces the window of vulnerability. Subscribe to security advisories for your plugins.
Final Thoughts
CVE-2026-2951 shows why input sanitization matters. Even popular plugins can have security gaps. Gutentor developers responded quickly with a fix. Site owners must apply patches promptly to stay secure.
Stored XSS remains one of the most common WordPress vulnerabilities. Always validate and escape user input. TrustIWP recommends updating Gutentor today. Protect your site and your visitors from this threat.
The Gutentor plugin is available on wordpress.org/plugins/gutentor/.
Gutentor is a WordPress block plugin that extends the Gutenberg editor with over 35 custom blocks. It adds advanced layouts, post grids, sliders, and pricing tables to the block editor. Site builders who prefer the native WordPress editor use Gutentor to add more design flexibility without installing a full page builder.
The plugin has over 10,000 active installations and is actively maintained. Its growing user base makes it a regular target for security research.
Stored XSS in Gutentor
CVE-2026-2951 is a stored Cross-Site Scripting vulnerability in Gutentor. The plugin fails to properly sanitize user input before storing it in block attributes. When a visitor views a page with these blocks, the injected JavaScript executes in their browser.
The CVSS score is 5.4 (Medium). An authenticated attacker with contributor-level access or higher can inject malicious scripts. The scripts execute for both administrators and regular visitors.
Real-World Impact
A stored XSS attack through Gutentor can steal admin cookies, allowing the attacker to hijack admin sessions. Once they have admin access, they can install malicious plugins, modify content, or create backdoor admin accounts. The injected scripts persist in the database until manually removed.
For site visitors, the scripts can redirect them to phishing pages, track their browsing, or deliver malware. This damages your site’s reputation and can trigger Google Safe Browsing warnings.