Skip to main content

TheFox Theme CVE-2026-57684

| EUVDEUVD-2026-41293 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-86pc-wv97-h27m
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor account required (PR:L), victim must view content (UI:R), scope changes to browser context (S:C); no direct availability impact attributable to XSS.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:34 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in TheFox <= 3.9.70 versions.

AnalysisAI

TheFox WordPress theme by tranmautritam in versions 3.9.70 and earlier allows a Contributor-level authenticated attacker to inject persistent Cross-Site Scripting payloads into theme-specific input fields, which then execute in the browsers of any user who views the affected content. The Changed Scope (S:C) in the CVSS vector confirms the payload crosses security boundaries into the victim browser context, enabling session token theft, credential harvesting, or unauthorized administrative actions against higher-privileged users such as editors or site admins. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register WordPress Contributor credentials
Delivery
Inject XSS payload into TheFox theme input field
Exploit
Content stored server-side awaiting admin review
Execution
Admin or editor loads affected page in browser
Persist
Malicious script executes in victim browser context
Impact
Exfiltrate session token or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress Contributor-level account (or higher) on the target installation - confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) appropriately reflects the meaningful authentication barrier imposed by PR:L (Contributor account required) and the necessary victim interaction (UI:R), which together prevent opportunistic unauthenticated mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor-level WordPress account on a target site running TheFox 3.9.70 or earlier, then embeds a malicious JavaScript payload in a theme-specific field such as a custom shortcode attribute, theme widget, or post meta field. When a site administrator or editor navigates to the affected page to review or publish content, the injected script silently executes in their browser, exfiltrating their session cookie to an attacker-controlled server and enabling full account takeover without any further authentication. …
Remediation Update the TheFox theme to a version released after 3.9.70 once a patched release is published by tranmautritam; check the Envato/ThemeForest marketplace or the Patchstack advisory at https://patchstack.com/database/wordpress/theme/thefox/vulnerability/wordpress-thefox-theme-3-9-70-cross-site-scripting-xss-vulnerability for patch availability, as no specific fixed version is confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy