Skip to main content

Enfold WordPress Theme CVE-2026-48869

| EUVDEUVD-2026-37494 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS over the web (AV:N/AC:L), no auth needed (PR:N) but victim must click (UI:R); script runs in the WordPress session, crossing scope (S:C) with Low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:27 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.

AnalysisAI

Reflected cross-site scripting in the Enfold WordPress theme versions up to and including 7.1.4 allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The CVSS scope change (S:C) and Low impact across C/I/A indicate the injected script can affect components beyond the vulnerable theme component, typically the authenticated WordPress session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Enfold ≤7.1.4 target
Delivery
Craft reflected XSS URL
Exploit
Deliver link via phishing
Install
Admin clicks link
C2
Payload executes in session
Execute
Steal cookies or create admin user
Impact
Establish persistence in WordPress

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a target site running the Enfold theme at version 7.1.4 or earlier, (2) the attacker to deliver a crafted URL containing the reflected XSS payload to a victim, and (3) the victim to click that link in a browser - the CVSS UI:R requirement means there is no silent server-side trigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) reflects a typical reflected-XSS profile: network-reachable, low complexity, no authentication, but requires user interaction (clicking a crafted link). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL pointing at a vulnerable Enfold-powered WordPress site with malicious JavaScript embedded in a reflected parameter, then distributes it via phishing email, social media, or a comment on another site. When a logged-in WordPress administrator clicks the link, the payload executes in their browser session and can steal authentication cookies, exfiltrate nonces, perform CSRF-like actions such as creating a new admin user, or inject a persistent backdoor through the theme/plugin editor.
Remediation Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should consult the Patchstack page (https://patchstack.com/database/wordpress/theme/enfold/vulnerability/wordpress-enfold-theme-7-1-4-reflected-cross-site-scripting-xss-vulnerability) and Kriesi/ThemeForest for the next Enfold release above 7.1.4 and upgrade promptly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Enfold theme and document their versions; contact Enfold vendor support to confirm patch availability and release timeline. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy