Skip to main content

Boutique CVE-2026-25342

| EUVDEUVD-2026-15655 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-cgw4-r4c2-m7c6
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.4.6
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15655
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kutethemes Boutique kute-boutique allows Reflected XSS.This issue affects Boutique: from n/a through < 2.4.6.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the kutethemes Boutique WordPress theme versions prior to 2.4.6, allowing attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing unsanitized input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser within the context of the affected website. This vulnerability enables session hijacking, credential theft, malware distribution, and defacement of affected e-commerce sites running vulnerable versions of the Boutique theme.

Technical ContextAI

This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a root cause category that encompasses failure to properly encode or sanitize user-supplied input before it is rendered in HTML output. The kutethemes Boutique theme (identified via CPE cpe:2.3:a:kutethemes:boutique:*:*:*:*:*:*:*:*) is a WordPress theme used for e-commerce storefronts, and the flaw exists in its page generation logic where reflected parameters are not adequately escaped for HTML context. Reflected XSS vulnerabilities differ from stored XSS in that they require the victim to visit a crafted link; the malicious payload is not persistently stored on the server but is instead reflected directly from the request into the response.

RemediationAI

Immediately upgrade the kutethemes Boutique theme to version 2.4.6 or later, which contains patches for this reflected XSS vulnerability. This patch is available through the WordPress theme repository or directly from kutethemes. If immediate upgrading is not feasible due to compatibility concerns, implement input validation and output encoding at the web server level using a Web Application Firewall (WAF) configured with XSS filtering rules to sanitize reflected parameters. Additionally, enforce Content Security Policy (CSP) headers with strict-origin-when-cross-origin and script-src 'self' directives to mitigate the impact of any injected scripts. For WordPress administrators, ensure all plugins are current, disable untrusted plugins, and consider restricting theme customization options that accept user input. Monitor web server logs for suspicious query strings containing script tags or encoded XSS payloads as a detection measure until patching is complete.

Share

CVE-2026-25342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy