Skip to main content

RT-Theme 18 CVE-2026-57745

| EUVDEUVD-2026-43388 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS is network-reachable and low-complexity with no attacker auth (PR:N) but needs victim click (UI:R); scope changes into browser context (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:37 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Reflected XSS.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

AnalysisAI

Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including 2.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), a successful payload can affect resources beyond the vulnerable component, such as the WordPress session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link to rt18-extensions parameter
Delivery
Deliver crafted URL via phishing
Exploit
Victim clicks and loads reflected page
Execution
Injected script executes in victim browser
Impact
Hijack session or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the RT-Theme 18 | Extensions plugin (version ≤ 2.5) to be installed and active on the WordPress site, and - per CVSS UI:R - requires a victim to interact by loading an attacker-crafted request (e.g., clicking a malicious link) that carries the reflected XSS payload into the vulnerable parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals paint a moderate, user-interaction-gated risk rather than an urgent internet-wide threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the vulnerable rt18-extensions endpoint containing a malicious script payload in a reflected parameter and delivers it to a logged-in site user or administrator via phishing email or a malicious link. When the victim clicks, the script executes in their browser under the site's origin, allowing session/cookie theft or actions performed as the victim; the low attack complexity makes crafting the payload straightforward, though the required user interaction limits scale. …
Remediation No vendor-released patch version is identified in the available data (the advisory documents affected versions up to and including 2.5 without naming a fixed build), so administrators should monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rt18-extensions/vulnerability/wordpress-rt-theme-18-extensions-plugin-2-5-reflected-cross-site-scripting-xss-vulnerability and the stmcan/RT-Theme 18 vendor channel for an update newer than 2.5 and apply it as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all WordPress installations using stmcan RT-Theme 18 Extensions plugin versions 2.5 and below; deactivate the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57745 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy