Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
AnalysisAI
Improper neutralization of script-related HTML tags in kutethemes DukaMarket WordPress theme version 1.3.0 and earlier allows unauthenticated remote attackers to inject malicious code via XSS, resulting in integrity compromise. The vulnerability has an EPSS score of 0.03% (percentile 8%), indicating very low real-world exploitation probability despite the moderate CVSS 5.3 rating. No evidence of active exploitation or public proof-of-concept code has been identified.
Technical ContextAI
The vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a foundational cross-site scripting (XSS) flaw. This occurs when user-supplied input is rendered in HTML context without proper sanitization or encoding of script tags and event handlers. In the context of kutethemes DukaMarket (a WordPress e-commerce theme), the root cause involves inadequate input validation and output encoding in shortcode or template processing functionality, allowing attackers to inject arbitrary HTML and JavaScript code that executes in the context of affected web pages. The affected product is identified by CPE cpe:2.3:a:kutethemes:dukamarket:*:*:*:*:*:*:*:*, covering all versions through 1.3.0.
RemediationAI
Update kutethemes DukaMarket to the latest patched version immediately available from the vendor. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/dukamarket/vulnerability/wordpress-dukamarket-theme-1-3-0-arbitrary-shortcode-execution-vulnerability for the specific fixed version number. As interim mitigations, implement strict Content Security Policy (CSP) headers to prevent inline script execution, validate and sanitize all user input before rendering in templates, and apply output encoding to all dynamic content. For WordPress environments, consider temporarily disabling or restricting access to the affected theme functionality if immediate patching is not feasible.
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20276
GHSA-36hh-hpjf-wc4x