CVE Catalog

CVE-2026-10077

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

The yootheme WordPress theme before version 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup. This allows users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user viewing the affected post.

Risk Assessment

An attacker with the Author role can inject malicious JavaScript into post content, leading to session theft, admin account takeover, or sensitive data leakage for all site visitors.

Recommendation

Immediately update the yootheme theme to version 5.0.35 or later. Limit the number of users with the Author role and consider using a Web Application Firewall (WAF) to block common XSS patterns.

Original NVD description (English source)

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS