Skip to main content

Molla CVE-2026-32529

| EUVDEUVD-2026-15897 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-3c4c-3ph5-c7xc
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.19
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15897
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Molla molla allows Reflected XSS.This issue affects Molla: from n/a through < 1.5.19.

AnalysisAI

A reflected Cross-Site Scripting (XSS) vulnerability exists in the don-themes Molla WordPress theme through version 1.5.18, allowing attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of affected users' browsers. An attacker can craft a malicious URL containing XSS payload and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation in the wild has been confirmed via KEV status, and CVSS/EPSS scores are not available, but the vulnerability is documented by Patchstack with a confirmed patch available in version 1.5.19 or later.

Technical ContextAI

The vulnerability resides in the don-themes Molla theme (CPE: cpe:2.3:a:don-themes:molla:*:*:*:*:*:*:*:*), a WordPress theme component. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes scenarios where user-supplied input is embedded into HTML output without proper sanitization or encoding. In the context of a WordPress theme, this typically occurs when query parameters, form data, or URL fragments are directly echoed into HTML output without using WordPress security functions such as esc_url(), esc_attr(), esc_html(), or wp_kses_post(). A reflected XSS vulnerability specifically means the malicious payload is passed via the HTTP request (e.g., in a query string) and reflected back to the user in the response without validation, as opposed to stored XSS where the payload is persisted in a database.

RemediationAI

Immediately upgrade the don-themes Molla theme to version 1.5.19 or later, which contains the security patch for this reflected XSS vulnerability. Website administrators should navigate to their WordPress dashboard, go to Appearance > Themes, locate Molla, and click Update if available. Until patching is possible, implement server-side input validation and output encoding: ensure all user-supplied input reflected in HTTP responses is properly sanitized using WordPress security functions (esc_url, esc_attr, esc_html, wp_kses_post), and consider deploying a Web Application Firewall (WAF) to detect and block XSS attempts targeting known reflection points. Additionally, enforce a Content Security Policy (CSP) header to restrict inline script execution, and encourage users to keep WordPress core and all plugins up to date. For detailed patch information, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/molla/vulnerability/wordpress-molla-theme-1-5-19-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

CVE-2026-32529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy