Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requiring victim click (UI:R); script executes in site origin yielding scope change with limited C/I/A impact on the victim session.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions.
AnalysisAI
Reflected cross-site scripting in the Skillate WordPress theme versions 1.2.10 and below allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with scope change (S:C), reflecting that the injected script runs in the WordPress site context and can pivot against authenticated users including administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim - ideally a logged-in WordPress user with elevated privileges - clicks an attacker-supplied URL targeting a Skillate-rendered page on a site running theme version 1.2.10 or earlier (UI:R from the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) shows the issue is network-reachable, low-complexity, and unauthenticated, but requires user interaction - consistent with classic reflected XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL containing a malicious JavaScript payload in a parameter handled by the Skillate theme and delivers it via phishing email or a malicious site to a logged-in WordPress administrator. When the admin clicks the link, the script executes in the WordPress origin and can steal session cookies, perform authenticated actions through the admin AJAX endpoints, or create a new attacker-controlled administrator account. |
| Remediation | Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the input data, so site operators should consult the Patchstack entry at https://patchstack.com/database/wordpress/theme/skillate/vulnerability/wordpress-skillate-theme-1-2-10-reflected-cross-site-scripting-xss-vulnerability and upgrade Skillate to any release above 1.2.10 once published by Themeum. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations to identify sites running Skillate theme version 1.2.10 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37652