Porto WordPress Theme CVE-2026-28075
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto porto allows Reflected XSS.This issue affects Porto: from n/a through <= 7.6.2.
AnalysisAI
Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the Porto WordPress theme by p-themes. The flaw stems from improper neutralization of user-supplied input before rendering it in HTML output. When user input is incorporated into web pages without proper encoding or sanitization, attackers can inject arbitrary HTML/JavaScript that executes in victims' browsers. The CVSS vector (AV:N/AC:L/S:C) indicates this is a network-accessible vulnerability with changed scope, meaning the injected code executes in the context of the victim's browser session, potentially affecting resources beyond the vulnerable component itself. As a WordPress theme, Porto controls page rendering and templating, making it a common location for XSS issues when developer-controlled parameters are reflected without encoding.
Affected ProductsAI
WordPress Porto theme by p-themes, versions from earliest release through 7.6.2 inclusive. The vulnerability disclosure does not specify a lower version boundary ('from n/a'), indicating all versions up to and including 7.6.2 should be considered vulnerable. Patchstack database reference available at https://patchstack.com/database/Wordpress/Theme/porto/vulnerability/wordpress-porto-theme-7-6-2-reflected-cross-site-scripting-xss-vulnerability. No CPE identifier provided in available data. Organizations should audit all WordPress installations using the Porto theme and verify installed versions.
RemediationAI
Upgrade Porto WordPress theme to version 7.6.3 or later if available (patch version inferred from affected range ending at 7.6.2, but exact fix version not independently confirmed from provided data - consult Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/porto/vulnerability/wordpress-porto-theme-7-6-2-reflected-cross-site-scripting-xss-vulnerability for confirmed patched version). If immediate patching is not feasible, implement compensating controls: deploy a web application firewall (WAF) with XSS detection rules to filter malicious input patterns (note: may cause false positives requiring tuning), enable Content Security Policy (CSP) headers to restrict inline script execution (trade-off: may break legitimate theme functionality requiring script-src review), and implement input validation at the WordPress application layer using sanitization plugins (limited effectiveness against reflected XSS). Educate users not to click untrusted links to Porto-powered sites. Long-term: consider migrating to actively maintained themes with security audit history if vendor response is inadequate.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today