Skip to main content

Mymedi CVE-2026-25351

| EUVDEUVD-2026-15666 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-9pp8-8p2x-gwxh
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.7.7
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15666
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyMedi mymedi allows Reflected XSS.This issue affects MyMedi: from n/a through < 1.7.7.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyMedi WordPress theme that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects MyMedi versions prior to 1.7.7, and an attacker can leverage reflected XSS to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. No active exploitation in the wild has been confirmed, but the vulnerability was publicly disclosed via Patchstack with technical details available.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is directly reflected in HTTP responses without proper sanitization or output encoding. In the context of the MyMedi WordPress theme (CPE: cpe:2.3:a:skygroup:mymedi:*:*:*:*:*:*:*:*), this means that URL parameters or form inputs are being echoed back to the user's browser without HTML-encoding or Content Security Policy protections. The reflected variant of XSS is particularly dangerous in web applications because the payload travels through the URL or request itself, making it easy to distribute via social engineering—victims need only click a malicious link to execute arbitrary JavaScript in their browser context.

RemediationAI

Upgrade the MyMedi WordPress theme to version 1.7.7 or later immediately through the WordPress dashboard (Appearance → Themes → Updates) or by downloading the patched version from the official Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/mymedi/vulnerability/wordpress-mymedi-theme-1-7-7-reflected-cross-site-scripting-xss-vulnerability. If immediate patching is not possible, implement a Web Application Firewall (WAF) rule to block requests containing common XSS payloads (script tags, event handlers such as onclick, onerror) and enforce Content Security Policy (CSP) headers via your web server to restrict inline script execution. Additionally, ensure WordPress core and all plugins are kept up to date, and consider implementing output escaping functions (such as esc_url, esc_html) in any custom theme modifications to prevent similar issues.

Share

CVE-2026-25351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy