Skip to main content

QantumThemes Kentha CVE-2026-25442

| EUVDEUVD-2026-13079 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2026-13079
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.This issue affects Kentha: from n/a through 4.7.2.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in the QantumThemes Kentha WordPress theme that allows attackers to inject malicious scripts into web pages. The vulnerability affects all versions of Kentha through 4.7.2 and can be exploited remotely without authentication, though it requires user interaction. With a CVSS score of 7.1, this represents a high-severity issue, though no KEV listing or EPSS data suggests active widespread exploitation at this time.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as cross-site scripting. The Kentha WordPress theme fails to properly sanitize user-supplied input before reflecting it back in HTML responses, allowing attackers to inject arbitrary JavaScript code. The vulnerability is classified as reflected XSS, meaning the malicious payload is delivered through the request itself (typically via URL parameters or form inputs) and immediately reflected in the response without proper encoding or validation. As a WordPress theme component, this affects the presentation layer of WordPress installations using Kentha, discovered and reported by Patchstack's security audit team.

RemediationAI

Upgrade the Kentha WordPress theme to a version newer than 4.7.2 if a patched version has been released by QantumThemes. Consult the Patchstack database entry at https://patchstack.com/database/wordpress/theme/kentha/vulnerability/wordpress-kentha-theme-4-7-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for the latest remediation guidance and confirmed patch availability. As an interim mitigation, implement web application firewall (WAF) rules to filter potential XSS payloads in HTTP requests, enable Content Security Policy (CSP) headers to restrict script execution sources, and educate users to avoid clicking suspicious links. Consider temporarily switching to an alternative WordPress theme if no patch is available and the site is at high risk.

Share

CVE-2026-25442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy