Stored Cross-Site Scripting Vulnerability in Gutenverse Form Plugin for WordPress
CVE-2025-14984

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe For Block Editor
Vendor
CVE Published:
8 January 2026

What is CVE-2025-14984?

The Gutenverse Form plugin for WordPress has a serious flaw due to its framework component allowing SVG file uploads without adequate content sanitization. This vulnerability enables authorized users with Author-level access and higher to upload SVG files containing harmful JavaScript. When these files are accessed, the malicious script executes in the browsers of users who view the affected content, potentially leading to unauthorized actions and data theft.

Affected Version(s)

Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor * <= 2.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/gutenverse-for...
https://plugins.trac.wordpress.org/browser/gutenverse-for...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

andrea bocchetti
JSON
.
CVE-2025-14984 : Stored Cross-Site Scripting Vulnerability in Gutenverse Form Plugin for WordPress