Skip to main content

Loobek CVE-2026-25349

| EUVDEUVD-2026-15664 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-mj42-5g77-9x8h
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.2
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15664
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Loobek loobek allows Reflected XSS.This issue affects Loobek: from n/a through < 1.5.2.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Loobek theme (CWE-79: Improper Neutralization of Input During Web Page Generation) that allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects Loobek versions prior to 1.5.2, as documented by Patchstack and tracked under ENISA EUVD ID EUVD-2026-15664. An attacker can craft a malicious URL containing unescaped input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser context, potentially leading to session hijacking, credential theft, or malware distribution.

Technical ContextAI

The vulnerability resides in the Loobek theme (cpe:2.3:a:skygroup:loobek:*:*:*:*:*:*:*:*), a WordPress theme component developed by skygroup. The root cause is CWE-79, which describes the failure to neutralize user-supplied input before it is output into dynamically generated web pages. In the context of a WordPress theme, this typically occurs when theme functions or template files directly output GET/POST parameters, URL query strings, or referrer headers without proper sanitization, escaping, or validation. The reflected nature of this XSS means the malicious payload is not stored in a database but travels through the URL or request itself, making it dependent on social engineering or link-injection attacks for successful exploitation. The theme's handling of user input in page generation routines—likely in theme hooks, template rendering, or custom shortcode handlers—fails to apply WordPress security functions such as esc_url(), esc_attr(), esc_html(), or wp_kses_post().

RemediationAI

Upgrade the Loobek theme to version 1.5.2 or later immediately. Visit the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Theme/loobek/vulnerability/wordpress-loobek-theme-1-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for detailed patch information and update instructions. For environments where immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block requests containing common XSS payloads in query strings and URL parameters, enforce Content Security Policy (CSP) headers to restrict script execution sources, and educate site administrators and users to avoid clicking on untrusted external links pointing to their own domain. Additionally, ensure all WordPress core files and other plugins are kept up to date, and consider using a security plugin to monitor for suspicious activity and provide additional input validation.

Share

CVE-2026-25349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy