Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Jaroti jaroti allows Reflected XSS.This issue affects Jaroti: from n/a through < 1.4.8.
AnalysisAI
A reflected Cross-site Scripting (XSS) vulnerability exists in the Skygroup Jaroti WordPress theme through version 1.4.7, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of victim browsers. Affected users should upgrade to Jaroti version 1.4.8 or later to remediate the vulnerability; no CVSS score or EPSS data is currently available, and no KEV or POC confirmation has been documented in accessible threat intelligence sources.
Technical ContextAI
The Jaroti WordPress theme (identified via CPE cpe:2.3:a:skygroup:jaroti:*:*:*:*:*:*:*:*) contains a reflected XSS vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Reflected XSS occurs when untrusted user input—typically from URL parameters, form submissions, or HTTP headers—is reflected back into the HTML response without proper sanitization or encoding. In WordPress themes, this commonly occurs in template files or query parameter handling where user-supplied data is echoed directly to output without escaping via WordPress security functions such as esc_html(), esc_attr(), or wp_kses_post(). The vulnerability allows attackers to craft malicious URLs containing embedded JavaScript payloads that execute when a victim visits the link, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of the user.
RemediationAI
Upgrade the Jaroti WordPress theme to version 1.4.8 or later immediately. This version contains fixes for the reflected XSS vulnerability and should be applied via the WordPress admin dashboard (Appearance > Themes > Updates) or by downloading the patched theme directly from the vendor. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Theme/jaroti/vulnerability/wordpress-jaroti-theme-1-4-8-reflected-cross-site-scripting-xss-vulnerability for confirmation of patch availability and any vendor-specific guidance. As an interim control pending patching, disable the vulnerable theme if it is not currently active, ensure WordPress and all plugins are up to date to reduce lateral risk, and implement Web Application Firewall (WAF) rules to detect and block common XSS payloads if the theme is exposed to untrusted user input. Additionally, review recent access logs for exploitation attempts using URL-encoded or obfuscated script tags in query parameters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15636
GHSA-hjp3-jg32-fr9p