pixfort Core CVE-2026-28072
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixFort pixfort Core pixfort-core allows Reflected XSS.This issue affects pixfort Core: from n/a through <= 3.2.22.
AnalysisAI
Reflected cross-site scripting (XSS) in pixfort Core WordPress plugin versions up to 3.2.22 enables remote attackers to inject malicious scripts into web pages viewed by victims. The attack requires user interaction (clicking a malicious link) but no authentication, allowing attackers to steal session tokens, perform actions as the victim, or redirect users to phishing sites. EPSS score of 0.04% (10th percentile) indicates low probability of mass exploitation, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the pixfort Core WordPress plugin, a premium theme companion plugin providing core functionality for PixFort themes. Reflected XSS occurs when user-supplied input is immediately returned by a web application without proper sanitization or encoding, allowing attackers to inject JavaScript that executes in victims' browsers. The CVSS vector indicates network-based delivery (AV:N), low attack complexity (AC:L), and changed scope (S:C), meaning the vulnerable component (the WordPress plugin) differs from the impacted component (the user's browser session). The vulnerability affects all versions through 3.2.22, suggesting a fundamental input validation weakness in how the plugin handles URL parameters or form inputs that are reflected back to users.
Affected ProductsAI
The vulnerability impacts pixfort Core WordPress plugin versions from the earliest release through version 3.2.22. This is a premium commercial plugin typically bundled with PixFort WordPress themes available on ThemeForest. Sites using pixfort themes (such as Essentials, Startup, or other PixFort theme products) with the companion pixfort-core plugin installed and activated are vulnerable. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pixfort-core/vulnerability/wordpress-pixfort-core-plugin-3-2-22-reflected-cross-site-scripting-xss-vulnerability provides vendor-specific details, though direct patch version information is not available from provided references.
RemediationAI
WordPress administrators running pixfort Core plugin should immediately upgrade to version 3.2.23 or later if available through the PixFort theme licensing portal or ThemeForest update mechanism. Check the official PixFort support channels or ThemeForest purchase dashboard for the latest secure version, as premium plugins do not auto-update through WordPress.org repository. As an interim mitigation before patching, implement Content Security Policy (CSP) headers with script-src 'self' directive to prevent inline JavaScript execution, though this may break legitimate theme functionality and requires testing. Deploy Web Application Firewall (WAF) rules to detect and block common XSS patterns in URL parameters, noting this provides defense-in-depth but not complete protection against obfuscated payloads. For high-security environments unable to patch immediately, consider temporarily deactivating the pixfort Core plugin if theme functionality permits, though this will likely break critical design elements. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pixfort-core/vulnerability/wordpress-pixfort-core-plugin-3-2-22-reflected-cross-site-scripting-xss-vulnerability for vendor-specific guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today