Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Contributor authentication (PR:L) and victim interaction (UI:R) are confirmed prerequisites; no credible availability impact applies to stored XSS of this type.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
AnalysisAI
Cross-site scripting in the Neve PRO WordPress theme addon (versions up to and including 3.1.2) allows a contributor-level authenticated user to inject persistent malicious JavaScript that executes in the browser context of other users, including administrators. The S:C scope change in the CVSS vector confirms the payload escapes the WordPress application boundary and executes in the victim's browser session, enabling session hijacking, credential theft, or admin-level privilege escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress contributor-level account (or higher) on the target site - this is the primary limiting condition corresponding to PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.5 Medium with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor account on a WordPress site running Neve PRO ≤ 3.1.2, then injects a malicious JavaScript payload into a theme-rendered field accessible to contributors. When a site administrator or editor previews or visits the affected content, the script executes in their browser, exfiltrating their session cookie or WordPress nonce to an attacker-controlled server - potentially enabling full administrative takeover of the WordPress installation. |
| Remediation | Update the Neve PRO WordPress theme addon to a version beyond 3.1.2 as soon as one is released by the vendor (ThemeIsle). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39741
GHSA-63mv-grhv-r323