CVE-2025-22293

The issue: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gutentor/gutentor-341-authenticated-contributor-stored-cross-site-scripting

Hello @huskydog @pexlechris

The issue you’re experiencing should be resolved in version 3.4.0. Please update to the latest version and see if the problem is fixed. If you’re still encountering the issue after updating, please reach out to me directly on WordPress Slack at @codersantosh or https://x.com/codersantosh

Best Regards!

The issue you’re experiencing should be resolved in version 3.4.0.

Huh? What? Have you actually read my initial question at all? The Wordfence vulnerability report kindly linked by Pexle Chris clearly states that versions up to and including 3.4.1 are vulnerable whilst the Patchstack entry says versions up to and including 3.4.3 are vulnerable.

https://patchstack.com/database/wordpress/plugin/gutentor/vulnerability/wordpress-gutentor-plugin-3-4-0-cross-site-scripting-xss-vulnerability

I’m already running 3.4.1 and will soon update to 3.4.3 but doing that isn’t going to change what is written in the vulnerability databases. If you think that this XSS issue has been fixed then can you say so as there is no hint of this in the Change Log.

I’m beginning to suspect that the answer to my question about whether the developers are aware of this security problem is “No they’re not!” and that is rather worrying.

Hello everyone,

Our team has thoroughly reviewed the plugin and couldn’t find such an issue in the current version. The page you linked does not provide clear steps to reproduce the problem, which makes it difficult to investigate further.

We take security issues very seriously. Regarding a similar issue, we were notified by the WordPress Plugin Team about this and promptly addressed it in version 3.4.0.

If you or anyone else can provide exact steps to replicate the issue, we kindly request that you refrain from discussing it in public forums. Instead, please report it directly to [email protected] or contact me directly via the contact methods mentioned above.

Thank you for your understanding and cooperation.

Best regards,

@codersantosh you could contact Wordfence in order to ask for details. In the past, as a plugin author, I have also contacted them about false positive of the Wordfence plugin at this email: [email protected]

OK, so things are now a bit clearer. As I understand it, the presumption is that this is a false positive. I can see that if true this is rather irritating for the developers, but also for users. I get an email from my Solid Security plugin every day now telling me that I have Vulnerable Software installed. I could mute this warning but I’d rather not go around doing this sort of thing if it can be avoided.

The Solid Security warnings seem to come from Patchstack, but presumably they are just getting the information from somewhere else. I can certainly see that without someone revealing the steps to reproduce this or at least how they determined that it was an issue then it could be frustrating to get to a resolution.

Let plugin author answer us about our concerns

It was reported to the vendor on 2024-08-22 at 11:28:19 (EEST) and vendor missed or ignored vul. report since then. Today we got request to provide more data about the issue pointing at this thread. However request was sent from Gmail inbox and we can’t provide sensitive information to unidentified recipients. Once we will get email from vendors website mailbox we will provide access to vul. report once again.