Skip to main content

Porto WordPress Theme CVE-2026-28075

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto porto allows Reflected XSS.This issue affects Porto: from n/a through <= 7.6.2.

AnalysisAI

Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the Porto WordPress theme by p-themes. The flaw stems from improper neutralization of user-supplied input before rendering it in HTML output. When user input is incorporated into web pages without proper encoding or sanitization, attackers can inject arbitrary HTML/JavaScript that executes in victims' browsers. The CVSS vector (AV:N/AC:L/S:C) indicates this is a network-accessible vulnerability with changed scope, meaning the injected code executes in the context of the victim's browser session, potentially affecting resources beyond the vulnerable component itself. As a WordPress theme, Porto controls page rendering and templating, making it a common location for XSS issues when developer-controlled parameters are reflected without encoding.

Affected ProductsAI

WordPress Porto theme by p-themes, versions from earliest release through 7.6.2 inclusive. The vulnerability disclosure does not specify a lower version boundary ('from n/a'), indicating all versions up to and including 7.6.2 should be considered vulnerable. Patchstack database reference available at https://patchstack.com/database/Wordpress/Theme/porto/vulnerability/wordpress-porto-theme-7-6-2-reflected-cross-site-scripting-xss-vulnerability. No CPE identifier provided in available data. Organizations should audit all WordPress installations using the Porto theme and verify installed versions.

RemediationAI

Upgrade Porto WordPress theme to version 7.6.3 or later if available (patch version inferred from affected range ending at 7.6.2, but exact fix version not independently confirmed from provided data - consult Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/porto/vulnerability/wordpress-porto-theme-7-6-2-reflected-cross-site-scripting-xss-vulnerability for confirmed patched version). If immediate patching is not feasible, implement compensating controls: deploy a web application firewall (WAF) with XSS detection rules to filter malicious input patterns (note: may cause false positives requiring tuning), enable Content Security Policy (CSP) headers to restrict inline script execution (trade-off: may break legitimate theme functionality requiring script-src review), and implement input validation at the WordPress application layer using sanitization plugins (limited effectiveness against reflected XSS). Educate users not to click untrusted links to Porto-powered sites. Long-term: consider migrating to actively maintained themes with security audit history if vendor response is inadequate.

Share

CVE-2026-28075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy