🔎 Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

Gutenberg

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > Gutenberg

Information

Software Type	Plugin
Software Slug	gutenberg (view on wordpress.org)
Software Status	Active
Software Author	matveb
Software Website	github.com
Software Downloads	42,833,539
Software Active Installs	300,000
Software Record Last Updated	July 26, 2024

5 Vulnerabilities

WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Template Part Block

6.4

CVE-2024-31111

Jun 24, 2024

Researcher: Rafie Muhammad

Gutenberg 12.9.0 - 18.0.0 - Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

6.4

CVE ID Unknown

Apr 9, 2024

Researchers: John Blackbourn, stealthcopter

WordPress Core 5.9-6.3.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Navigation Attributes

6.4

CVE-2023-38000

Oct 12, 2023

Researchers: Rafie Muhammad, Edourard L

WordPress Core < 6.0.3 & Gutenberg < 14.3.1 - Authenticated Cross-Site Scripting in Various Blocks

6.4

CVE ID Unknown

Oct 18, 2022

Researcher: Alex Concha

WordPress Core < 5.9.2 & Gutenberg < 12.7.2 - Prototype Pollution via Block Editor

5.4

CVE ID Unknown

Mar 11, 2022

Researcher: Researchers from Johns Hopkins University

Title	Status	CVE ID	CVSS	Researchers	Date
WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Template Part Block	Patched	CVE-2024-31111	6.4	Rafie Muhammad	June 24, 2024
Gutenberg 12.9.0 - 18.0.0 - Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block	Patched		6.4	John Blackbourn, stealthcopter	April 9, 2024
WordPress Core 5.9-6.3.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Navigation Attributes	Patched	CVE-2023-38000	6.4	Rafie Muhammad, Edourard L	October 12, 2023
WordPress Core < 6.0.3 & Gutenberg < 14.3.1 - Authenticated Cross-Site Scripting in Various Blocks	Patched		6.4	Alex Concha	October 18, 2022
WordPress Core < 5.9.2 & Gutenberg < 12.7.2 - Prototype Pollution via Block Editor	Patched		5.4	Researchers from Johns Hopkins University	March 11, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation