Skip to main content

Golo EUVDEUVD-2026-15547

| CVE-2026-23973 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-v8q3-m69v-4cr7
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:16 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.7.5
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15547
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo golo allows Reflected XSS.This issue affects Golo: from n/a through < 1.7.5.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the uxper Golo theme that allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects Golo versions prior to 1.7.5 and can be exploited by crafting malicious URLs that execute arbitrary JavaScript in the context of a victim's browser. An attacker can steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites without requiring authentication or special privileges.

Technical ContextAI

This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is the canonical weakness for Cross-Site Scripting vulnerabilities. The uxper Golo product (CPE: cpe:2.3:a:uxper:golo:*:*:*:*:*:*:*:*) fails to properly sanitize or encode user-supplied input before rendering it in HTML output. Reflected XSS occurs when unsanitized query parameters, form data, or other HTTP request elements are directly echoed back in the HTTP response without proper HTML entity encoding or Content Security Policy protections. This is distinct from stored XSS because the malicious payload is not persisted in a database; instead, it is reflected directly from the attacker-crafted request. The Golo theme, likely a WordPress or web template framework component, does not implement adequate input validation or output encoding mechanisms to prevent script injection.

RemediationAI

Upgrade the uxper Golo theme to version 1.7.5 or later immediately. This patch version addresses the reflected XSS vulnerability by implementing proper input validation and output encoding. Users should navigate to their WordPress dashboard, locate the Golo theme in the Themes section, and apply the available update. Until the patch can be deployed, implement a Web Application Firewall (WAF) rule to detect and block requests containing common XSS payloads (e.g., script tags, event handlers) in query parameters and form inputs. Additionally, enforce Content Security Policy (CSP) headers with strict directives such as 'default-src self' and 'script-src self' to mitigate the impact of any injected scripts. For additional guidance, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

EUVD-2026-15547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy