Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.This issue affects Kentha: from n/a through 4.7.2.
AnalysisAI
A reflected cross-site scripting (XSS) vulnerability exists in the QantumThemes Kentha WordPress theme that allows attackers to inject malicious scripts into web pages. The vulnerability affects all versions of Kentha through 4.7.2 and can be exploited remotely without authentication, though it requires user interaction. With a CVSS score of 7.1, this represents a high-severity issue, though no KEV listing or EPSS data suggests active widespread exploitation at this time.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as cross-site scripting. The Kentha WordPress theme fails to properly sanitize user-supplied input before reflecting it back in HTML responses, allowing attackers to inject arbitrary JavaScript code. The vulnerability is classified as reflected XSS, meaning the malicious payload is delivered through the request itself (typically via URL parameters or form inputs) and immediately reflected in the response without proper encoding or validation. As a WordPress theme component, this affects the presentation layer of WordPress installations using Kentha, discovered and reported by Patchstack's security audit team.
RemediationAI
Upgrade the Kentha WordPress theme to a version newer than 4.7.2 if a patched version has been released by QantumThemes. Consult the Patchstack database entry at https://patchstack.com/database/wordpress/theme/kentha/vulnerability/wordpress-kentha-theme-4-7-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for the latest remediation guidance and confirmed patch availability. As an interim mitigation, implement web application firewall (WAF) rules to filter potential XSS payloads in HTTP requests, enable Content Security Policy (CSP) headers to restrict script execution sources, and educate users to avoid clicking suspicious links. Consider temporarily switching to an alternative WordPress theme if no patch is available and the site is at high risk.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13079