This vulnerability (CVE-2026-56040) is an instance of CWE-79, improper neutralization of input during web page generation, leading to Cross-Site Scripting (XSS) in the Gutenverse Form plugin for WordPress.com. It affects versions up to 2.4.7 and can be exploited without authentication. The CVSS 3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No vendor advisory or patch information is currently available, and no known exploits are reported in the wild.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary scripts in the context of the affected web application. This can lead to partial loss of confidentiality, integrity, and availability of the affected system or user data. The vulnerability requires user interaction but no privileges, making it a significant risk for users interacting with the vulnerable form.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution when interacting with forms from the Gutenverse Form plugin and consider disabling or restricting its use if possible.