Skip to main content

Nooni CVE-2026-25353

| EUVDEUVD-2026-15669 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.1
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15669
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Nooni nooni allows Reflected XSS.This issue affects Nooni: from n/a through < 1.5.1.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Nooni theme affecting versions prior to 1.5.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, classified as CWE-79. Attackers can craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser when the link is visited, potentially leading to session hijacking, credential theft, or malware distribution.

Technical ContextAI

The Nooni theme (identified via CPE cpe:2.3:a:skygroup:nooni:*:*:*:*:*:*:*:*) is a WordPress theme that fails to properly sanitize and escape user-supplied input before rendering it in HTML responses. This is a classic Reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation), where untrusted data from HTTP request parameters is directly inserted into the page without adequate validation or output encoding. The vulnerability likely affects theme template files that process query parameters, form submissions, or other user-controllable inputs without implementing proper input validation, output encoding, or Content Security Policy (CSP) protections. WordPress themes typically interact with the wp_kses() function for sanitization and esc_html() or similar escaping functions for output, which appear to be missing or improperly applied in affected versions.

RemediationAI

Upgrade the Nooni theme to version 1.5.1 or later immediately. The patch is available through the official WordPress theme repository or the theme vendor's distribution channel. Until patching is completed, website administrators should implement the following compensating controls: enable WordPress security plugins that filter malicious input patterns, implement a Web Application Firewall (WAF) configured to block common XSS payloads in query parameters, enforce a strict Content Security Policy (CSP) header limiting script execution to trusted sources, and disable the vulnerable theme from receiving traffic by temporarily switching to a patched theme. Additionally, audit access logs for signs of XSS exploitation attempts and consider implementing HTTP-only and Secure flags on session cookies to limit exposure if session hijacking is attempted. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/nooni/vulnerability/wordpress-nooni-theme-1-5-1-reflected-cross-site-scripting-xss-vulnerability) for official patch notes and verification of successful remediation.

Share

CVE-2026-25353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy