Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes TechOne techone allows Code Injection.This issue affects TechOne: from n/a through <= 3.0.3.
AnalysisAI
Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Technical ContextAI
This vulnerability exploits inadequate input sanitization in the TechOne WordPress theme, a content management system extension. The root cause falls under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a foundational XSS classification that occurs when user-supplied input containing HTML script tags is not properly neutralized before being rendered in a web page. WordPress themes are executed server-side but output HTML to browsers; failure to escape or filter script-related tags allows attackers to inject arbitrary JavaScript that executes in victims' browsers. The CPE designation (cpe:2.3:a:kutethemes:techone:*:*:*:*:*:*:*:*) identifies this as a WordPress theme plugin distributed by kutethemes. The vulnerability permits code injection through the theme's template rendering pipeline, likely via shortcode processing or widget content areas that lack proper HTML entity encoding.
RemediationAI
Upgrade kutethemes TechOne theme to a patched version higher than 3.0.3. Immediate patch version availability is not explicitly confirmed in the provided data; users should check the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/techone/vulnerability/wordpress-techone-theme-3-0-3-arbitrary-shortcode-execution-vulnerability and the official NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39625 for confirmed patched version availability and release timing. As an interim workaround, disable or restrict execution of untrusted shortcodes within the theme settings, and ensure WordPress security plugins with XSS filtering are active. Verify through the vendor's release notes or support channels that the installed version post-remediation has been confirmed patched.
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20270
GHSA-65jg-j4jj-9wfr