{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39683", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:42.120Z", "dateUpdated": "2026-04-08T08:30:42.120Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "garden-gnome-package", "product": "Garden Gnome Package", "vendor": "Chief Gnome", "versions": [{"lessThanOrEqual": "2.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:42.416Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.<p>This issue affects Garden Gnome Package: from n/a through <= 2.4.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:42.120Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/garden-gnome-package/vulnerability/wordpress-garden-gnome-package-plugin-2-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Garden Gnome Package plugin <= 2.4.1 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1."}], "id": "CVE-2026-39683", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:40.140", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/garden-gnome-package/vulnerability/wordpress-garden-gnome-package-plugin-2-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "garden_gnome_package", "vendor": "chief_gnome"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:55:36.795132+00:00", "value": {"mitigation_remediation": ["Update the Garden Gnome Package plugin to version 2.4.2 or later, which removes the DOM\u2011based XSS flaw", "If an update is not immediately possible, disable or delete the plugin to eliminate the attack surface", "As a temporary mitigation, enforce strict output encoding on any user\u2011generated content served by the site to reduce the risk of script injection"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting via unchecked input leads to DOM\u2011based exploitation"}, "threat_synthesis": {"affected_systems": "The issue applies to the Chief Gnome Garden Gnome Package plugin for WordPress versions from the earliest release through 2.4.1 inclusive. Any WordPress installation that has the plugin installed at a version equal to or older than 2.4.1 is vulnerable.", "description_and_impact": "An improper neutralization of user input during web page generation allows an attacker to inject malicious scripts into the page using the Garden Gnome Package plugin. The vulnerability stems from a failure to encode or sanitize data on the client side, enabling a DOM\u2011based XSS attack. Successful exploitation could allow the attacker to execute arbitrary code within the victim\u2019s browser context, potentially leading to session hijacking, theft of credentials, or defacement of the site\u2019s content.", "risk_and_exploitability": "No public CVSS score or EPSS figure is available for this vulnerability, and it is not listed in CISA\u2019s KEV catalog, which limits the precise quantification of risk. Nevertheless, because the flaw enables client\u2011side script injection, the potential impact remains significant, especially for sites that expose user\u2011controllable inputs or allow administrative interactions. The most straightforward attack vector would involve an attacker crafting a malicious URL or form input that, when viewed by a visitor, triggers the DOM\u2011based XSS. No special conditions beyond normal browser interaction are required, so the exploitation likelihood remains moderate to high given the prevalence of WordPress sites and the ubiquity of the vendor\u2019s plugin."}}}}, "created": "2026-04-08T19:40:37.864629+00:00", "updated": "2026-04-09T08:22:00.895497+00:00", "vendors": ["chief_gnome", "chief_gnome$PRODUCT$garden_gnome_package", "wordpress", "wordpress$PRODUCT$wordpress"]}