Gutenberg Vulnerability – Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block | WordPress Plugin Vulnerability Report

Plugin Name: Gutenberg

Key Information:

  • Software Type: Plugin
  • Software Slug: gutenberg
  • Software Status: Active
  • Software Author: matveb
  • Software Downloads: 41,476,476
  • Active Installs: 300,000
  • Last Updated: April 16, 2024
  • Patched Versions: 18.01
  • Affected Versions: 12.9.0 - 18.0.0

Vulnerability Details:

  • Name: Gutenberg 12.9.0 - 18.0.0
  • Title: Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: NA
  • CVSS Score: 6.4
  • Publicly Published: April 9, 2024
  • Researcher: John Blackbourn, stealthcopter
  • Description: The Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via user display names in the Avatar block in versions 12.9.0 to 18.0.0. Insufficient output escaping on display names allows authenticated users with contributor-level access and above, as well as unauthenticated users through the comment block, to inject arbitrary web scripts. These scripts execute when a user views an affected page, potentially leading to unauthorized data access or manipulation.


The Gutenberg plugin for WordPress has a vulnerability in versions from 12.9.0 up to and including 18.0.0 that allows both unauthenticated and authenticated users to perform stored cross-site scripting attacks via the Avatar block. This vulnerability has been addressed in version 18.01.

Detailed Overview:

The vulnerability identified in the Gutenberg plugin presents significant security risks. Stored XSS attacks such as this one can lead to data theft, session hijacking, and unauthorized actions on behalf of users. The issue was traced back to insufficient sanitization of user display names within the Avatar block, a common component in many WordPress sites. The dual risk for both authenticated and unauthenticated attacks broadens the potential for exploitation, making it critical for administrators to apply the patch promptly. The research conducted by John Blackbourn and stealthcopter was crucial in identifying and addressing this flaw swiftly.

Advice for Users:

  • Immediate Action: Update your Gutenberg plugin to the patched version 18.01 immediately to close the security gap.
  • Check for Signs of Vulnerability: Review your website’s pages for unexpected or suspicious scripts that could indicate past exploitation.
  • Alternate Plugins: While a patch is available, considering alternative plugins with similar functionality may provide peace of mind until the security of the patched version is confirmed through continued monitoring.
  • Stay Updated: Regularly updating your plugins and WordPress core is crucial for maintaining security against emerging threats.


The quick response by the Gutenberg plugin developers in releasing a patch highlights the importance of ongoing vigilance and rapid action in the realm of web security. Users must ensure they promptly update to version 18.01 or later to mitigate the risks associated with this vulnerability. As digital threats evolve, the commitment to maintaining up-to-date systems is indispensable for securing user data and ensuring the integrity of online platforms.


Detailed Report: 

In the digital age, where every aspect of our lives intersects with technology, maintaining the security of your website is not just a recommendation—it's a necessity. The recent discovery of a significant security flaw in the Gutenberg WordPress plugin, which powers over 300,000 websites, brings to the forefront the perpetual risk and reality of cyber threats. This vulnerability, known for affecting versions from 12.9.0 to 18.0.0, exposes sites to both unauthenticated and authenticated stored cross-site scripting (XSS) attacks through the Avatar block.

Vulnerability Insights:

The vulnerability manifests through insufficient output escaping on user display names within the Avatar block, permitting both unauthenticated and authenticated users to inject harmful scripts. These scripts can execute each time a user visits an affected page, leading to data theft, session hijacking, or unauthorized actions, potentially compromising personal data and the integrity of the website.

Historical Context:

This is not the first time vulnerabilities have been discovered in the Gutenberg plugin—there have been three previous instances since March 11, 2022. The recurring security issues highlight the importance of regular monitoring and updates.

Risks and Impacts:

Stored XSS attacks pose severe risks, as they allow attackers to manipulate the website content or function invisibly. Users might unknowingly trigger malicious scripts, leading to unauthorized access and potentially widespread damage across multiple user accounts.

Advice for Small Business Owners:

For small business owners juggling numerous responsibilities, managing website security may seem daunting. However, simple steps like setting up automatic updates, using strong passwords, and regularly reviewing access logs can significantly mitigate risks. Employing basic security plugins and services that alert you to vulnerabilities can also lessen the burden.


The quick response by the Gutenberg plugin developers in patching known vulnerabilities underscores the critical importance of keeping digital platforms updated and monitored. Staying proactive in your security practices is not just about protecting data—it's about safeguarding your business’s reputation and the trust of your customers. Remember, the cost of prevention is always less than the cost of a breach.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Gutenberg Vulnerability – Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block | WordPress Plugin Vulnerability Report FAQs

Leave a Comment