Skip to main content

Miti CVE-2026-25350

| EUVDEUVD-2026-15665 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-v839-3mxp-p2x4
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15665
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Miti miti allows Reflected XSS.This issue affects Miti: from n/a through < 1.5.3.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Miti theme for WordPress, allowing attackers to inject malicious scripts into web pages viewed by users. This vulnerability affects Miti versions prior to 1.5.3, and an attacker can craft malicious URLs to execute arbitrary JavaScript in the context of a victim's browser session, potentially stealing credentials, session tokens, or performing actions on behalf of the user. No CVSS score, EPSS metric, or KEV status information is currently available, but the vulnerability has been documented by Patchstack with a patch available in version 1.5.3.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a failure to sanitize or properly encode user-supplied input before rendering it in HTML output. The Miti theme (cpe:2.3:a:skygroup:miti:*:*:*:*:*:*:*:*) is a WordPress theme, and the reflected XSS occurs when unsanitized query parameters or form inputs are echoed directly into the HTTP response without escaping HTML entities or applying output encoding. In WordPress themes, this typically occurs in template files where $_GET, $_POST, or $_REQUEST variables are rendered without using WordPress escaping functions such as esc_html(), esc_attr(), or wp_kses_post(). The attack vector is network-based and requires no authentication, making it accessible to unauthenticated threat actors.

RemediationAI

Upgrade the Miti theme to version 1.5.3 or later immediately to address this vulnerability. Website administrators should access the WordPress theme management dashboard, verify the current installed version of Miti, and apply the available update through the standard WordPress update mechanism. Until the update can be deployed, implement defense-in-depth measures including: enforce Content Security Policy (CSP) headers to restrict inline script execution; enable WordPress security hardening plugins that provide input validation and XSS filtering; restrict administrative access and user permissions to minimize the impact of successful XSS exploitation; and educate users about phishing risks given the social engineering component of reflected XSS attacks. For additional details and confirmation of patch availability, consult the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/miti/vulnerability/wordpress-miti-theme-1-5-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

CVE-2026-25350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy