Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Darna Framework darna-framework allows Reflected XSS.This issue affects Darna Framework: from n/a through <= 2.9.
AnalysisAI
A reflected cross-site scripting (XSS) vulnerability exists in G5Theme's Darna Framework through version 2.9, allowing attackers to inject malicious scripts that execute in users' browsers when crafted URLs are visited. The vulnerability affects the Darna Framework WordPress plugin and stems from improper input neutralization during web page generation. While no CVSS score or EPSS data is currently published, the CWE-79 classification indicates this is a classic reflected XSS with potential for credential theft, session hijacking, and malware distribution depending on the attack vector's accessibility.
Technical ContextAI
The Darna Framework (cpe:2.3:a:g5theme:darna_framework:*:*:*:*:*:*:*:*) is a WordPress theme/plugin framework that processes user-supplied input during dynamic web page generation without adequate sanitization or output encoding. This violates CWE-79 (Improper Neutralization of Input During Web Page Generation), a category encompassing failures to escape or validate untrusted data before rendering in HTML contexts. The framework likely accepts query parameters, form inputs, or other request data and reflects them back in HTTP responses without HTML entity encoding, content-security-policy headers, or input validation, allowing attackers to break out of HTML attribute or script context and inject arbitrary JavaScript.
RemediationAI
Immediately upgrade the G5Theme Darna Framework to a patched version beyond 2.9; consult the official G5Theme security advisory or Patchstack database for the specific patch release. Until patching is feasible, implement input validation and output encoding at the application level, enforce Content-Security-Policy (CSP) headers to restrict inline script execution, and consider disabling the Darna Framework plugin if not actively required. Network-level mitigations include deploying a Web Application Firewall (WAF) with XSS detection rules and restricting access to administrative interfaces via IP allowlisting. Users should review their WordPress plugin settings and audit any recent modifications to site content or user access patterns.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15800
GHSA-j895-gc2p-77r2