Skip to main content

Motta Addons EUVDEUVD-2026-15633

| CVE-2026-25033 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-x7p6-vc38-8q33
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.6.1
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15633
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.This issue affects Motta Addons: from n/a through < 1.6.1.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in the uixthemes Motta Addons WordPress plugin through version 1.6.0, allowing attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability affects all versions of Motta Addons prior to 1.6.1 and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score, EPSS score, or KEV status is currently available, this is a confirmed vulnerability reported by Patchstack with a clear patch version available, making it a practical security concern for WordPress site administrators using affected versions.

Technical ContextAI

The vulnerability stems from inadequate input sanitization and output encoding in the Motta Addons plugin (CPE: cpe:2.3:a:uixthemes:motta_addons:*:*:*:*:*:*:*:*), a WordPress plugin developed by UIXThemes. The root cause is classified under CWE-79, which describes improper neutralization of user-supplied data before it is used in the generation of web page content. In WordPress plugin contexts, this typically manifests when user input from GET or POST parameters, cookies, or other HTTP request data is directly reflected in HTML responses without proper escaping or sanitization using WordPress security functions like esc_html(), esc_attr(), or wp_kses_post(). The reflected nature of the XSS means the malicious payload is embedded in a URL or form submission and reflected back to the user without server-side storage, making it suitable for phishing and social engineering attacks.

RemediationAI

Immediately upgrade UIXThemes Motta Addons to version 1.6.1 or later, which includes the security patch for this reflected XSS vulnerability. Site administrators should navigate to the WordPress plugin dashboard, locate Motta Addons, and apply the available update. Until the patch can be deployed, implement input validation and output encoding at the web server level using a Web Application Firewall (WAF) to detect and block common XSS payloads (such as those containing script tags or event handlers). Additionally, enforce Content Security Policy (CSP) headers with strict-src directives and disable inline script execution to mitigate the impact of any reflected XSS that may be exploited before patching. If Motta Addons cannot be immediately updated due to compatibility concerns, consider temporarily disabling the plugin and using alternative functionality or reverting to a previous WordPress theme configuration. For detailed remediation guidance, consult the vendor advisory and security notices available on the Patchstack database linked in the references.

Share

EUVD-2026-15633 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy