What is CVE-2026-1395?

CVE-2026-1395 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2026-1395?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2026-1395.

How can I protect against CVE-2026-1395?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2026-1395.

REPORT / 01

Analysis Report · Folder Analysis cache/gutentools_1.1.3 → cache/gutentools_1.1.4 — CVE-2026-1395

Shared security patch analysis results

mode patchdiff ai copilot oswe-vscode-prime

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2026-1395 NVD

AI-Generated Analysis

## 1. Vulnerability Background

What is this vulnerability?

- CVE-2026-1395 is a stored Cross-Site Scripting (XSS) vulnerability in the Gutentools plugin for WordPress.
- It affects the Post Slider block and related slider/ticker blocks by allowing attacker-controlled block attributes to be rendered into inline JavaScript and HTML without appropriate context-aware sanitization.
- The immediate cause is insufficient input validation of block attributes combined with unsafe output escaping and a custom unescaping routine that can reintroduce dangerous characters.

Why is it critical/important?

- Stored XSS is one of the most serious web application vulnerabilities because malicious code is persisted on the site and executed in the browser of any user who views the infected page.
- The vulnerability requires only Contributor-level access or higher, which is a common privilege level on multi-user WordPress sites.
- If exploited, it can be used to steal cookies, hijack sessions, perform actions as authenticated users, pivot to higher privilege accounts, or deliver further payloads to site visitors.

What systems/versions are affected?

- Gutentools plugin for WordPress
- All versions up to and including 1.1.3

## 2. Technical Details

Root cause analysis

- The plugin exposes block attributes such as `block_id`, `animation`, `speed`, `autoplay`, `dots`, and `label` from editor-supplied block definitions.
- These values are later inserted into HTML and inline JavaScript in block render output.
- The code used improper escaping functions for the target context:
  - `esc_attr()` was used inside JavaScript string literals and selector expressions.
  - raw attributes were echoed directly into HTML content.
  - some values were inserted as JavaScript object properties without type enforcement.
- A custom helper routine attempted to "fix" escaped JS tags by replacing HTML entities with raw characters, which can undo sanitization and reintroduce dangerous characters.

Attack vector and exploitation conditions

- Attacker must have authenticated access at Contributor level or above.
- The attacker creates or edits a page/post block containing the vulnerable Post Slider or related slider/ticker block.
- Malicious payload is injected into:
  - `block_id`
  - `label`
  - slider configuration values
- The malicious block is saved to the database.
- When any user opens the page, the stored payload is rendered into inline JavaScript and executes in the victim’s browser.

Security implications

- Stored XSS in a widely-used plugin allows an authenticated low-privilege user to escalate the impact to all viewers of the infected page.
- If an administrator or editor views the page, the attacker may gain access to high-privilege cookies, CSRF tokens, or site management capabilities.
- The vulnerability may be used to install backdoors, modify content, or further compromise the site.

## 3. Patch Analysis

What code changes were made?

- In `core/blocks/post-slider.php`:
  - `block_id` is now sanitized with `sanitize_html_class()`.
  - JS option values are cast to correct types using `intval()` for numeric values and `wp_json_encode((bool) ...)` for booleans.
  - jQuery selector strings are built in PHP and encoded with `wp_json_encode()` instead of embedding raw string fragments into inline JS.
- In `core/blocks/post-ticker.php`:
  - `block_id` is validated with `sanitize_html_class()`.
  - animation components are normalized and defaulted safely.
  - `label` output now uses `esc_attr()`.
- In `core/blocks/image-slider.php`:
  - slider options are encoded with `wp_json_encode()` for booleans and `intval()` for numeric values.
  - the jQuery selector is sanitized via `sanitize_html_class()` and emitted as a JSON-encoded string.
- In `core/blocks/slider.php`:
  - identical hardening of selector generation and slider option value encoding.
- The patch also addresses the generic helper issue by removing or replacing unsafe unescaping behavior in the block helper path.

How do these changes fix the vulnerability?

- `sanitize_html_class()` ensures `block_id` cannot contain characters that would break selector syntax or inject script fragments.
- `wp_json_encode()` emits safe JavaScript literals, preventing arbitrary string or boolean injection in JS objects.
- `intval()` enforces numeric values and prevents malicious string payloads from being interpreted as executable JS.
- Escaping output with `esc_attr()` for HTML content prevents raw script fragments from being rendered into the DOM.

Security improvements introduced

- Context-aware escaping for inline JavaScript.
- Stronger type enforcement for block option values.
- Safer construction of DOM selectors from user-controlled values.
- Removal of unsafe custom unescaping that could negate sanitization.

## 4. Proof of Concept (PoC) Guide

Prerequisites for exploitation

- WordPress installation with Gutentools plugin version 1.1.3 or earlier.
- Contributor-level access or higher.
- Ability to edit/create a post or page using the affected Gutenberg blocks.

Step-by-step exploitation approach

1. Log in as a Contributor or higher.
2. Create a new page/post and insert the vulnerable Post Slider block.
3. Modify the block attributes manually, such as `block_id`, so it contains a payload:
   - Example: `test-slider');alert(document.cookie);//`
4. Save the page.
5. View the published page in a browser.

Expected behavior vs exploited behavior

- Expected behavior: the Post Slider block initializes normally and the page renders without executing injected scripts.
- Exploited behavior: the malicious `block_id` payload closes the selector or object literal and causes JavaScript execution, such as `alert(document.cookie)` or other arbitrary script.

How to verify the vulnerability exists

- Inspect the page source after saving the block.
- Confirm that user-controlled values appear inside inline JavaScript without proper JSON encoding or sanitization.
- Observe script execution when the page is loaded.
- Confirm with browser developer tools that the rendered jQuery selector or object literal contains attacker-supplied payload.

## 5. Recommendations

Mitigation strategies

- Upgrade Gutentools to the patched version above 1.1.3.
- Restrict user roles so only trusted users have Contributor access if the patch cannot be applied immediately.
- Remove or replace vulnerable block instances from published content.

Detection methods

- Scan for Gutentools versions `<= 1.1.3`.
- Audit content for Post Slider/Post Ticker blocks with unusual `block_id` or label values.
- Use application-layer monitoring to detect inline script injection in otherwise expected slider initialization code.
- Review audit logs for Contributor edits to pages containing Gutentools blocks.

Best practices to prevent similar issues

- Apply context-aware escaping:
  - `sanitize_html_class()` for CSS class/ID values.
  - `wp_json_encode()` for JavaScript literals.
  - `esc_attr()` for HTML attribute content.
  - `esc_js()` only in proper JS string contexts.
- Enforce strict typing for values used in inline JS.
- Avoid custom sanitization/unescaping routines that can negate escaping.
- Validate and sanitize all editor-supplied block attributes on save and render.
- Implement a secure development review for block render code, especially when building inline scripts from block attributes.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

core/blocks/image-slider.php AI: 2 vulnerabilities CVE-2026-1395

--- cache/gutentools_1.1.3/core/blocks/image-slider.php	2026-04-23 00:29:39.148218656 +0000+++ cache/gutentools_1.1.4/core/blocks/image-slider.php	2026-04-23 00:29:46.888771020 +0000@@ -155,39 +155,40 @@ 
                     $slide = $this->count > esc_attr( $slideToShow[ 'values' ][ 'desktop' ] ) ? esc_attr( $slideToShow[ 'values' ][ 'desktop' ] ) : $this->count;
                     $fade = ( $attrs['fade'] && $slide == 1 ) ? 'true' : 'false';
-
+                    $dots = ( $attrs[ 'enableDots' ]  && $this->count > $slide )? 'true' : 'false';	
+                    $block_id = sanitize_html_class( $this->block_id );
+					$selector = '#' . $block_id . ' .gutentools-image-slider-init';
                     // Initialize the slider
                     ob_start();
-                    $dots = ( $attrs[ 'enableDots' ]  && $this->count > $slide )? 'true' : 'false';	
                     ?>
                     var slider = {
-                            dots: <?php echo esc_attr( $dots ) ?>,
-                            arrows: <?php echo $attrs['enableArrows'] ? 'true' : 'false'; ?>,
-                            infinite: true,
-                            speed: <?php echo esc_attr($attrs['speed']); ?>,
-                            autoplay: <?php echo $attrs['autoplay'] ? 'true' : 'false'; ?>,
-                            fade: <?php echo $fade ?>,
-                            slidesToShow: <?php echo esc_attr( $slide ) ?>,
-                            slidesToScroll: 1,
-                            cssEase: 'ease-in' ,
-                            prevArrow: '<button type="button" class="gutentools-prev-arrow gutentools-slider-arrow"><i class="fa fa-angle-left"></i></button>',
-                            nextArrow: '<button type="button" class="gutentools-next-arrow gutentools-slider-arrow"><i class="fa fa-angle-right"></i></button>',
-                            responsive: [
-                                {
-                                    breakpoint: 767,
-                                    settings: {
-                                        slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'mobile' ] ); ?>
-                                    }
-                                },
-                                {
-                                    breakpoint: 1024,
-                                    settings: {
-                                        slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'tablet' ] ); ?>
-                                    }
+                        dots: <?php echo wp_json_encode( (bool) $dots ); ?>,
+                        arrows: <?php echo wp_json_encode( (bool) $attrs['enableArrows'] ); ?>,
+                        infinite: true,
+                        speed: <?php echo intval( $attrs['speed'] ); ?>,
+                        autoplay: <?php echo wp_json_encode( (bool) $attrs['autoplay'] ); ?>,
+                        fade: <?php echo wp_json_encode( (bool) $fade ); ?>,
+                        slidesToShow: <?php echo intval( $slide ); ?>,
+                        slidesToScroll: 1,
+                        cssEase: 'ease-in',
+                        prevArrow: '<button type="button" class="gutentools-prev-arrow gutentools-slider-arrow"><i class="fa fa-angle-left"></i></button>',
+                        nextArrow: '<button type="button" class="gutentools-next-arrow gutentools-slider-arrow"><i class="fa fa-angle-right"></i></button>',
+                        responsive: [
+                            {
+                                breakpoint: 767,
+                                settings: {
+                                    slidesToShow: <?php echo intval( $slideToShow['values']['mobile'] ); ?>
+                                }
+                            },
+                            {
+                                breakpoint: 1024,
+                                settings: {
+                                    slidesToShow: <?php echo intval( $slideToShow['values']['tablet'] ); ?>
                                 }
-                            ]
-                        };
-                        jQuery('#<?php echo esc_attr( $this->block_id ); ?> .gutentools-image-slider-init').slick( slider );
+                            }
+                        ]
+                    };
+                    jQuery(<?php echo wp_json_encode($selector); ?>).slick(slider);
 
                     <?php
                     $js = ob_get_clean();

AI Analysis

Vulnerability Existed: yes
Cross-site Scripting (XSS) via unsanitized JS object properties [core/blocks/image-slider.php] [approx 167-185]
Old Code:
                        dots: <?php echo esc_attr( $dots ) ?>,
                        arrows: <?php echo $attrs['enableArrows'] ? 'true' : 'false'; ?>,
                        infinite: true,
                        speed: <?php echo esc_attr($attrs['speed']); ?>,
                        autoplay: <?php echo $attrs['autoplay'] ? 'true' : 'false'; ?>,
                        fade: <?php echo $fade ?>,
                        slidesToShow: <?php echo esc_attr( $slide ) ?>,
                        responsive: [
                            {
                                breakpoint: 767,
                                settings: {
                                    slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'mobile' ] ); ?>
                                }
                            },
                            {
                                breakpoint: 1024,
                                settings: {
                                    slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'tablet' ] ); ?>
                                }
Fixed Code:
                        dots: <?php echo wp_json_encode( (bool) $dots ); ?>,
                        arrows: <?php echo wp_json_encode( (bool) $attrs['enableArrows'] ); ?>,
                        infinite: true,
                        speed: <?php echo intval( $attrs['speed'] ); ?>,
                        autoplay: <?php echo wp_json_encode( (bool) $attrs['autoplay'] ); ?>,
                        fade: <?php echo wp_json_encode( (bool) $fade ); ?>,
                        slidesToShow: <?php echo intval( $slide ); ?>,
                        responsive: [
                            {
                                breakpoint: 767,
                                settings: {
                                    slidesToShow: <?php echo intval( $slideToShow['values']['mobile'] ); ?>
                                }
                            },
                            {
                                breakpoint: 1024,
                                settings: {
                                    slidesToShow: <?php echo intval( $slideToShow['values']['tablet'] ); ?>
                                }

Vulnerability Existed: yes
Cross-site Scripting (XSS) via unescaped jQuery selector string [core/blocks/image-slider.php] [approx 187-190]
Old Code:
                    jQuery('#<?php echo esc_attr( $this->block_id ); ?> .gutentools-image-slider-init').slick( slider );
Fixed Code:
                    $block_id = sanitize_html_class( $this->block_id );
                    $selector = '#' . $block_id . ' .gutentools-image-slider-init';
                    jQuery(<?php echo wp_json_encode($selector); ?>).slick(slider);

CVE Analysis Results:

CVE-2026-1395: Yes

View CVE Description

The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

core/blocks/post-slider.php AI: 2 vulnerabilities CVE-2026-1395

--- cache/gutentools_1.1.3/core/blocks/post-slider.php	2026-04-23 00:29:39.148218656 +0000+++ cache/gutentools_1.1.4/core/blocks/post-slider.php	2026-04-23 00:29:46.888771020 +0000@@ -198,42 +198,43 @@ 						    ? $slideToShow['values']['desktop']
 						    : $count;
 					$dots = ( $attrs['enableDots'] && $count > $slide ) ? 'true' : 'false';
+					$block_id = sanitize_html_class( $this->block_id );
+					$selector = '#' . $block_id . ' .gutentools-post-slider-init';
 
 					ob_start();
-					// $dots = ( $attrs[ 'enableDots' ]  && $this->count > $slide )? 'true' : 'false';	
-
 					?>
 
 					var slider = {
-						slidesToShow: <?php echo esc_attr( $slide ) ?>,
-						slidesToScroll: 1,
-						infinite: true,
-						speed: <?php echo esc_attr( $attrs[ 'speed' ]) ?>,
-						autoplay: <?php echo esc_attr( $attrs[ 'autoplay' ] ? 'true' : 'false') ?>,
-						arrows: <?php echo esc_attr( $attrs[ 'enableArrow' ] ? 'true' : 'false' ) ?>,
-						dots: <?php echo esc_attr( $dots ) ?>,
-						prevArrow: '<button type="button" class="gutentools-prev-arrow gutentools-slider-arrow"><i class="fa fa-angle-left"></i></button>',
-						nextArrow: '<button type="button" class="gutentools-next-arrow gutentools-slider-arrow"><i class="fa fa-angle-right"></i></button>',
-						responsive: [
-							{
-								breakpoint: 767,
-								settings: {
-									slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'mobile' ] ); ?>
-								}
-							},
-							{
-								breakpoint: 1024,
-								settings: {
-									slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'tablet' ] ); ?>
-								}
-							}
-							]
+					    slidesToShow: <?php echo intval($slide); ?>,
+					    slidesToScroll: 1,
+					    infinite: true,
+					    speed: <?php echo intval($attrs['speed']); ?>,
+					    autoplay: <?php echo wp_json_encode((bool) $attrs['autoplay']); ?>,
+					    arrows: <?php echo wp_json_encode((bool) $attrs['enableArrow']); ?>,
+					    dots: <?php echo wp_json_encode((bool) $dots); ?>,
+					    prevArrow: '<button type="button" class="gutentools-prev-arrow gutentools-slider-arrow"><i class="fa fa-angle-left"></i></button>',
+					    nextArrow: '<button type="button" class="gutentools-next-arrow gutentools-slider-arrow"><i class="fa fa-angle-right"></i></button>',
+					    responsive: [
+					        {
+					            breakpoint: 767,
+					            settings: {
+					                slidesToShow: <?php echo intval($slideToShow['values']['mobile']); ?>
+					            }
+					        },
+					        {
+					            breakpoint: 1024,
+					            settings: {
+					                slidesToShow: <?php echo intval($slideToShow['values']['tablet']); ?>
+					            }
+					        }
+					    ]
 					};
-					jQuery('#<?php echo esc_attr( $this->block_id ); ?> .gutentools-post-slider-init').slick( slider );
+
+					jQuery(<?php echo wp_json_encode($selector); ?>).slick(slider);
 
 					<?php
 					$js = ob_get_clean();
-					self::add_scripts( $js );
+					self::add_scripts($js);
 		    	}
 			}

AI Analysis

Vulnerability Existed: yes
Cross-site Scripting (XSS) via unsafe JavaScript selector core/blocks/post-slider.php Lines 217-220
Old Code
jQuery('#<?php echo esc_attr( $this->block_id ); ?> .gutentools-post-slider-init').slick( slider );
Fixed Code
$block_id = sanitize_html_class( $this->block_id );
$selector = '#' . $block_id . ' .gutentools-post-slider-init';
jQuery(<?php echo wp_json_encode($selector); ?>).slick(slider);

Vulnerability Existed: yes
Cross-site Scripting (XSS) via unsafe JavaScript literal injection core/blocks/post-slider.php Lines 198-214
Old Code
var slider = {
    slidesToShow: <?php echo esc_attr( $slide ) ?>,
    slidesToScroll: 1,
    infinite: true,
    speed: <?php echo esc_attr( $attrs[ 'speed' ]) ?>,
    autoplay: <?php echo esc_attr( $attrs[ 'autoplay' ] ? 'true' : 'false') ?>,
    arrows: <?php echo esc_attr( $attrs[ 'enableArrow' ] ? 'true' : 'false' ) ?>,
    dots: <?php echo esc_attr( $dots ) ?>,
    responsive: [
        {
            breakpoint: 767,
            settings: {
                slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'mobile' ] ); ?>
            }
        },
        {
            breakpoint: 1024,
            settings: {
                slidesToShow: <?php echo esc_attr( $slideToShow[ 'values' ][ 'tablet' ] ); ?>
            }
        }
    ]
};
Fixed Code
var slider = {
    slidesToShow: <?php echo intval($slide); ?>,
    slidesToScroll: 1,
    infinite: true,
    speed: <?php echo intval($attrs['speed']); ?>,
    autoplay: <?php echo wp_json_encode((bool) $attrs['autoplay']); ?>,
    arrows: <?php echo wp_json_encode((bool) $attrs['enableArrow']); ?>,
    dots: <?php echo wp_json_encode((bool) $dots); ?>,
    responsive: [
        {
            breakpoint: 767,
            settings: {
                slidesToShow: <?php echo intval($slideToShow['values']['mobile']); ?>
            }
        },
        {
            breakpoint: 1024,
            settings: {
                slidesToShow: <?php echo intval($slideToShow['values']['tablet']); ?>
            }
        }
    ]
};

CVE Analysis Results:

CVE-2026-1395: Yes

View CVE Description

The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

core/blocks/post-ticker.php AI: 2 vulnerabilities CVE-2026-1395

--- cache/gutentools_1.1.3/core/blocks/post-ticker.php	2026-04-23 00:29:39.148218656 +0000+++ cache/gutentools_1.1.4/core/blocks/post-ticker.php	2026-04-23 00:29:46.888771020 +0000@@ -126,23 +126,26 @@ 					));
 
 					$animation = $this->get_slider_direction( $attrs[ 'animation' ]);
-					$block_id = $attrs[ 'block_id' ];
+										
+					$block_id = isset($attrs['block_id']) ? sanitize_html_class($attrs['block_id']) : '';
+					$type      = isset($animation[0]) ? $animation[0] : 'horizontal';
+					$direction = isset($animation[1]) ? $animation[1] : 'right';
+					$speed     = isset($animation[2]) ? intval($animation[2]) : 2000;
+
 					ob_start();
 					?>
 
 
-					jQuery('#<?php echo esc_js($block_id); ?> .gutentools-ticker-content').AcmeTicker({
-			            type:'<?php echo esc_js( $animation[0] ) ?>',
-			            speed: <?php echo esc_js( $animation[2] ) ?>,
-			            direction: '<?php echo esc_js( $animation[1] ) ?>',
-			            controls: {
-			                prev: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-prev'),
-			                toggle: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-toggle'),
-			                next: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-next')            
-			            }
-
-			        });
-
+					jQuery('#<?php echo esc_js( $block_id ); ?> .gutentools-ticker-content').AcmeTicker({
+					    type: '<?php echo esc_js( $type ); ?>',
+					    speed: <?php echo $speed; ?>,
+					    direction: '<?php echo esc_js( $direction ); ?>',
+					    controls: {
+					        prev: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-prev'),
+					        toggle: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-toggle'),
+					        next: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-next')            
+					    }
+					});
 			        jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-pause').on('click', function() {
 			            jQuery(this).hide();
 			            jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-play').show();
@@ -155,10 +158,7 @@ 			        
 					<?php
 					$js = ob_get_clean();
-					self::add_scripts( $js );
-
-
-					
+					self::add_scripts( $js );	
 		    	}
 			}
 	    	
@@ -216,7 +216,7 @@ 		    ?>
 		    <div id=<?php echo esc_attr( $attrs[ 'block_id' ] ) ?> class="gutentools-post-ticker">
 		    	<?php if( $this->attrs[ 'enableLabel' ] ): ?>
-			    <div class="gutentools-post-ticker-label"><?php echo $this->attrs['label'] ?></div>
+			    <div class="gutentools-post-ticker-label"><?php echo esc_attr( $this->attrs['label'] ) ?></div>
 				<?php endif; ?>
 			    <div class="gutentools-post-ticker-box">
 			        <ul class="gutentools-ticker-content">

AI Analysis

Vulnerability Existed: yes
Cross-Site Scripting (XSS) via untrusted block_id/animation values in inline JavaScript core/blocks/post-ticker.php 126-149
Old Code
$animation = $this->get_slider_direction( $attrs[ 'animation' ]);
$block_id = $attrs[ 'block_id' ];
...
jQuery('#<?php echo esc_js($block_id); ?> .gutentools-ticker-content').AcmeTicker({
    type:'<?php echo esc_js( $animation[0] ) ?>',
    speed: <?php echo esc_js( $animation[2] ) ?>,
    direction: '<?php echo esc_js( $animation[1] ) ?>',
    controls: {
        prev: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-prev'),
        toggle: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-toggle'),
        next: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-next')            
    }
});
Fixed Code
$block_id = isset($attrs['block_id']) ? sanitize_html_class($attrs['block_id']) : '';
$type      = isset($animation[0]) ? $animation[0] : 'horizontal';
$direction = isset($animation[1]) ? $animation[1] : 'right';
$speed     = isset($animation[2]) ? intval($animation[2]) : 2000;
...
jQuery('#<?php echo esc_js( $block_id ); ?> .gutentools-ticker-content').AcmeTicker({
    type: '<?php echo esc_js( $type ); ?>',
    speed: <?php echo $speed; ?>,
    direction: '<?php echo esc_js( $direction ); ?>',
    controls: {
        prev: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-prev'),
        toggle: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-toggle'),
        next: jQuery('#<?php echo esc_js($block_id); ?> .gutentools-post-ticker-next')            
    }
});

Vulnerability Existed: yes
Cross-Site Scripting (XSS) via unsanitized label output core/blocks/post-ticker.php 216-217
Old Code
<div class="gutentools-post-ticker-label"><?php echo $this->attrs['label'] ?></div>
Fixed Code
<div class="gutentools-post-ticker-label"><?php echo esc_attr( $this->attrs['label'] ) ?></div>

CVE Analysis Results:

CVE-2026-1395: Yes

View CVE Description

The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

core/blocks/slider.php AI: 2 vulnerabilities CVE-2026-1395

--- cache/gutentools_1.1.3/core/blocks/slider.php	2026-04-23 00:29:39.148218656 +0000+++ cache/gutentools_1.1.4/core/blocks/slider.php	2026-04-23 00:29:46.888771020 +0000@@ -174,6 +174,8 @@ 						'css' => $desktop_css,
 					));
 					$dots = ( $attrs[ 'enableDots' ]  && $this->count > 1 )? 'true' : 'false';
+					$block_id = sanitize_html_class( $this->block_id );
+					$selector = '#' . $block_id . ' .gutentools-page-slider-init';
 					ob_start();
 					?>
 
@@ -181,15 +183,15 @@ 						slidesToShow: 1,
 						slidesToScroll: 1,
 						infinite: true,
-						speed: <?php echo esc_attr( $attrs[ 'speed' ] ) ?>,
-						fade: <?php echo $attrs[ 'fade' ] ? 'true' : 'false' ?>,
-						autoplay: <?php echo $attrs[ 'autoplay' ] ? 'true' : 'false' ?>,
-						arrows: <?php echo $attrs[ 'enableArrow' ] ? 'true' : 'false' ?>,
-						dots: <?php echo esc_attr($dots) ?>,
-						prevArrow: '<button type="button" class="gutentools-prev-arrow gutentools-slider-arrow"><i class="fa fa-angle-left"></i></button>',
+						speed: <?php echo intval( $attrs['speed'] ); ?>,
+					    fade: <?php echo wp_json_encode( (bool) $attrs['fade'] ); ?>,
+					    autoplay: <?php echo wp_json_encode( (bool) $attrs['autoplay'] ); ?>,
+					    arrows: <?php echo wp_json_encode( (bool) $attrs['enableArrow'] ); ?>,
+					    dots: <?php echo wp_json_encode( (bool) $dots ); ?>,						
+					    prevArrow: '<button type="button" class="gutentools-prev-arrow gutentools-slider-arrow"><i class="fa fa-angle-left"></i></button>',
 						nextArrow: '<button type="button" class="gutentools-next-arrow gutentools-slider-arrow"><i class="fa fa-angle-right"></i></button>'
 					};
-					jQuery('#<?php echo esc_attr( $this->block_id ); ?> .gutentools-page-slider-init').slick( slider );
+					 jQuery(<?php echo wp_json_encode( $selector ); ?>).slick(slider);
 
 					<?php
 					$js = ob_get_clean();

AI Analysis

Vulnerability Existed: yes
Cross-Site Scripting (XSS) via inline JavaScript selector core/blocks/slider.php Lines 174-181
Old Code
    jQuery('#<?php echo esc_attr( $this->block_id ); ?> .gutentools-page-slider-init').slick( slider );
Fixed Code
    $block_id = sanitize_html_class( $this->block_id );
    $selector = '#' . $block_id . ' .gutentools-page-slider-init';
    jQuery(<?php echo wp_json_encode( $selector ); ?>).slick(slider);

Vulnerability Existed: yes
JavaScript injection via unescaped slider option values core/blocks/slider.php Lines 177-181
Old Code
    speed: <?php echo esc_attr( $attrs[ 'speed' ] ) ?>,
    fade: <?php echo $attrs[ 'fade' ] ? 'true' : 'false' ?>,
    autoplay: <?php echo $attrs[ 'autoplay' ] ? 'true' : 'false' ?>,
    arrows: <?php echo $attrs[ 'enableArrow' ] ? 'true' : 'false' ?>,
    dots: <?php echo esc_attr($dots) ?>,
Fixed Code
    speed: <?php echo intval( $attrs['speed'] ); ?>,
    fade: <?php echo wp_json_encode( (bool) $attrs['fade'] ); ?>,
    autoplay: <?php echo wp_json_encode( (bool) $attrs['autoplay'] ); ?>,
    arrows: <?php echo wp_json_encode( (bool) $attrs['enableArrow'] ); ?>,
    dots: <?php echo wp_json_encode( (bool) $dots ); ?>,

CVE Analysis Results:

CVE-2026-1395: Yes

View CVE Description

The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

core/class_block_helper.php AI: 1 vulnerabilities CVE-2026-1395

--- cache/gutentools_1.1.3/core/class_block_helper.php	2026-04-23 00:29:39.148218656 +0000+++ cache/gutentools_1.1.4/core/class_block_helper.php	2026-04-23 00:29:46.892771305 +0000@@ -200,32 +200,6 @@ 			echo wp_kses( $html, $allowed_tags );
 		}
 
-		public static function fix_escaped_tags_in_js( $escaped_js_code ) {
-		    $fixed_js_code = str_replace(
-		        [
-		            '&lt;',
-		            '&gt;', 
-		            '&quot;', 
-		            '&#039;', 
-		            '&amp;', 
-		            '\\\'',
-            		'\\"',
-		        ],
-		        [
-		            '<',
-		            '>',
-		            '"',
-		            "'",
-		            '&',
-		            "'", 
-            		'"',
-		        ],
-		        $escaped_js_code
-		    );
-
-		    return $fixed_js_code;
-		}
-
 		public static function is_woocommerce_active(){
 		    if( in_array( 'woocommerce/woocommerce.php', apply_filters( 'active_plugins', get_option( 'active_plugins' ) ) ) ){
 		        return 1;
@@ -234,6 +208,5 @@ 		    }
 		}
 
-
 	}
 endif;\ No newline at end of file

AI Analysis

Vulnerability Existed: yes
Cross-site Scripting (XSS) core/class_block_helper.php Lines 200-232
Old Code
    public static function fix_escaped_tags_in_js( $escaped_js_code ) {
        $fixed_js_code = str_replace(
            [
                '&lt;',
                '&gt;', 
                '&quot;', 
                '&#039;', 
                '&amp;', 
                '\\\'',
                '\\"',
            ],
            [
                '<',
                '>',
                '"',
                "'",
                '&',
                "'", 
                '"',
            ],
            $escaped_js_code
        );
        return $fixed_js_code;
    }
Fixed Code
    public static function is_woocommerce_active(){
        if( in_array( 'woocommerce/woocommerce.php', apply_filters( 'active_plugins', get_option( 'active_plugins' ) ) ) ){
            return 1;
        }
    }

CVE Analysis Results:

CVE-2026-1395: Yes

View CVE Description

The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Showing 1 to 5 of 5 results