Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Wolverine Framework wolverine-framework allows Reflected XSS.This issue affects Wolverine Framework: from n/a through <= 1.9.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in G5Theme's Wolverine Framework through version 1.9, enabling attackers to inject malicious scripts into web pages generated by the framework. This vulnerability affects all installations of Wolverine Framework up to and including version 1.9, allowing attackers to execute arbitrary JavaScript in the context of victim browsers when they visit a maliciously crafted URL. While no CVSS score or EPSS data is currently available, the vulnerability has been reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15797, indicating it has undergone standardized review.
Technical ContextAI
The Wolverine Framework (CPE: cpe:2.3:a:g5theme:wolverine_framework:*:*:*:*:*:*:*:*) is a WordPress plugin framework developed by G5Theme. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a classic failure to properly sanitize and validate user-supplied input before rendering it in HTML context. Reflected XSS vulnerabilities in this class occur when the framework directly echoes user input (typically from query parameters, form data, or request headers) into HTTP responses without adequate encoding or filtering, allowing attackers to inject script payloads that execute in victim browsers. This is particularly dangerous in plugin frameworks that may handle multiple user inputs across numerous pages.
RemediationAI
Immediately upgrade G5Theme Wolverine Framework to a version newer than 1.9 if such a patched version is available from G5Theme. Consult the vendor's security advisory and release notes to identify the first patched version and apply it without delay. If a patched version is not yet available, implement layered mitigation controls including: enforce Content Security Policy (CSP) headers on all pages served by the framework to restrict script execution to whitelisted sources; enable output encoding at the web server level using ModSecurity or similar WAF rules to neutralize XSS payloads; and restrict access to the framework's entry points to trusted IP ranges if feasible. Additionally, conduct a security audit of all user input handling within custom Wolverine Framework implementations to identify and remediate similar input validation issues. Monitor G5Theme's official channels and Patchstack for patch availability and apply updates immediately upon release.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15797
GHSA-5263-vppj-gv4j