Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the malicious post to be published and displayed with a featured image in the Home Page blog section.
AnalysisAI
Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.
Technical ContextAI
The Total theme for WordPress improperly handles the the_title() WordPress function when rendering post titles within HTML attributes in the home blog section template. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic Cross-Site Scripting vulnerability. When post titles containing malicious JavaScript are rendered directly into HTML attributes without proper escaping (such as using esc_attr() in WordPress), the JavaScript payload breaks out of the attribute context and executes as active script. The vulnerability is stored, meaning the payload persists in the WordPress database and executes every time the page is loaded, affecting all site visitors who view the injected post.
RemediationAI
The primary remediation is to update the Total theme to version 2.2.2 or later, which implements proper output escaping for post titles in the home blog section template. Site administrators should navigate to the WordPress admin dashboard, go to Appearance → Themes, locate Total, and click Update if available. For immediate protection before updating, site administrators can restrict contributor access to only trusted users, implement post moderation to review all new posts before publication, or temporarily disable the home page blog section feature if not critical to site functionality. The trade-off of restricting contributor access is reduced editorial workflow flexibility; post moderation adds administrative overhead but preserves functionality. Disabling the blog section is the most restrictive but eliminates the attack surface entirely. Reference the Wordfence advisory and WordPress theme repository changeset for patch details and confirmation of the fix.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26768