Skip to main content

Qubely CVE-2026-39638

| EUVDEUVD-2026-20296 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-338c-7gw3-rg6c
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:42 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
5.9 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20296
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.

AnalysisAI

Stored cross-site scripting (XSS) in Themeum Qubely WordPress plugin version 1.8.14 and earlier allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors, compromising session integrity and enabling credential theft or malware distribution. The vulnerability requires administrator authentication and user interaction (UI:R), limiting immediate risk, but stored persistence means injected payloads remain active until remediated. EPSS exploitation probability is extremely low at 0.03%, suggesting minimal real-world targeting despite public disclosure.

Technical ContextAI

Qubely is a WordPress page builder plugin that handles user-supplied input during web page generation without proper sanitization or encoding, allowing attackers to bypass input validation mechanisms. The vulnerability exploits CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of weaknesses where untrusted data is rendered in HTML contexts without neutralization. The affected plugin versions (CPE:a:themeum:qubely:*) fail to escape or validate content at the point of storage or output, enabling stored XSS payloads to persist in the WordPress database and execute within the security context of authenticated users viewing the compromised page.

RemediationAI

Update Themeum Qubely to a version newer than 1.8.14 immediately; consult the plugin's official release page or WordPress.org plugin repository for the latest patched version number. If an immediate upgrade is not possible, restrict administrative and editor access to trusted users only, disable the plugin temporarily, or implement Web Application Firewall (WAF) rules to detect and block stored XSS payloads in Qubely-generated content. Review WordPress user roles and audit recent posts/pages created or modified by high-privilege accounts for suspicious script injections. Additional guidance is available at https://patchstack.com/database/Wordpress/Plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-cross-site-scripting-xss-vulnerability and https://nvd.nist.gov/vuln/detail/CVE-2026-39638.

Share

CVE-2026-39638 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy