Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Molla molla allows Reflected XSS.This issue affects Molla: from n/a through < 1.5.19.
AnalysisAI
A reflected Cross-Site Scripting (XSS) vulnerability exists in the don-themes Molla WordPress theme through version 1.5.18, allowing attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of affected users' browsers. An attacker can craft a malicious URL containing XSS payload and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation in the wild has been confirmed via KEV status, and CVSS/EPSS scores are not available, but the vulnerability is documented by Patchstack with a confirmed patch available in version 1.5.19 or later.
Technical ContextAI
The vulnerability resides in the don-themes Molla theme (CPE: cpe:2.3:a:don-themes:molla:*:*:*:*:*:*:*:*), a WordPress theme component. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes scenarios where user-supplied input is embedded into HTML output without proper sanitization or encoding. In the context of a WordPress theme, this typically occurs when query parameters, form data, or URL fragments are directly echoed into HTML output without using WordPress security functions such as esc_url(), esc_attr(), esc_html(), or wp_kses_post(). A reflected XSS vulnerability specifically means the malicious payload is passed via the HTTP request (e.g., in a query string) and reflected back to the user in the response without validation, as opposed to stored XSS where the payload is persisted in a database.
RemediationAI
Immediately upgrade the don-themes Molla theme to version 1.5.19 or later, which contains the security patch for this reflected XSS vulnerability. Website administrators should navigate to their WordPress dashboard, go to Appearance > Themes, locate Molla, and click Update if available. Until patching is possible, implement server-side input validation and output encoding: ensure all user-supplied input reflected in HTTP responses is properly sanitized using WordPress security functions (esc_url, esc_attr, esc_html, wp_kses_post), and consider deploying a Web Application Firewall (WAF) to detect and block XSS attempts targeting known reflection points. Additionally, enforce a Content Security Policy (CSP) header to restrict inline script execution, and encourage users to keep WordPress core and all plugins up to date. For detailed patch information, refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/molla/vulnerability/wordpress-molla-theme-1-5-19-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15897
GHSA-3c4c-3ph5-c7xc