Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.This issue affects Motta Addons: from n/a through < 1.6.1.
AnalysisAI
A reflected cross-site scripting (XSS) vulnerability exists in the uixthemes Motta Addons WordPress plugin through version 1.6.0, allowing attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability affects all versions of Motta Addons prior to 1.6.1 and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score, EPSS score, or KEV status is currently available, this is a confirmed vulnerability reported by Patchstack with a clear patch version available, making it a practical security concern for WordPress site administrators using affected versions.
Technical ContextAI
The vulnerability stems from inadequate input sanitization and output encoding in the Motta Addons plugin (CPE: cpe:2.3:a:uixthemes:motta_addons:*:*:*:*:*:*:*:*), a WordPress plugin developed by UIXThemes. The root cause is classified under CWE-79, which describes improper neutralization of user-supplied data before it is used in the generation of web page content. In WordPress plugin contexts, this typically manifests when user input from GET or POST parameters, cookies, or other HTTP request data is directly reflected in HTML responses without proper escaping or sanitization using WordPress security functions like esc_html(), esc_attr(), or wp_kses_post(). The reflected nature of the XSS means the malicious payload is embedded in a URL or form submission and reflected back to the user without server-side storage, making it suitable for phishing and social engineering attacks.
RemediationAI
Immediately upgrade UIXThemes Motta Addons to version 1.6.1 or later, which includes the security patch for this reflected XSS vulnerability. Site administrators should navigate to the WordPress plugin dashboard, locate Motta Addons, and apply the available update. Until the patch can be deployed, implement input validation and output encoding at the web server level using a Web Application Firewall (WAF) to detect and block common XSS payloads (such as those containing script tags or event handlers). Additionally, enforce Content Security Policy (CSP) headers with strict-src directives and disable inline script execution to mitigate the impact of any reflected XSS that may be exploited before patching. If Motta Addons cannot be immediately updated due to compatibility concerns, consider temporarily disabling the plugin and using alternative functionality or reverting to a previous WordPress theme configuration. For detailed remediation guidance, consult the vendor advisory and security notices available on the Patchstack database linked in the references.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15633
GHSA-x7p6-vc38-8q33