Skip to main content

Jaroti EUVDEUVD-2026-15636

| CVE-2026-25304 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-hjp3-jg32-fr9p
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.8
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15636
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Jaroti jaroti allows Reflected XSS.This issue affects Jaroti: from n/a through < 1.4.8.

AnalysisAI

A reflected Cross-site Scripting (XSS) vulnerability exists in the Skygroup Jaroti WordPress theme through version 1.4.7, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of victim browsers. Affected users should upgrade to Jaroti version 1.4.8 or later to remediate the vulnerability; no CVSS score or EPSS data is currently available, and no KEV or POC confirmation has been documented in accessible threat intelligence sources.

Technical ContextAI

The Jaroti WordPress theme (identified via CPE cpe:2.3:a:skygroup:jaroti:*:*:*:*:*:*:*:*) contains a reflected XSS vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Reflected XSS occurs when untrusted user input—typically from URL parameters, form submissions, or HTTP headers—is reflected back into the HTML response without proper sanitization or encoding. In WordPress themes, this commonly occurs in template files or query parameter handling where user-supplied data is echoed directly to output without escaping via WordPress security functions such as esc_html(), esc_attr(), or wp_kses_post(). The vulnerability allows attackers to craft malicious URLs containing embedded JavaScript payloads that execute when a victim visits the link, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of the user.

RemediationAI

Upgrade the Jaroti WordPress theme to version 1.4.8 or later immediately. This version contains fixes for the reflected XSS vulnerability and should be applied via the WordPress admin dashboard (Appearance > Themes > Updates) or by downloading the patched theme directly from the vendor. Consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Theme/jaroti/vulnerability/wordpress-jaroti-theme-1-4-8-reflected-cross-site-scripting-xss-vulnerability for confirmation of patch availability and any vendor-specific guidance. As an interim control pending patching, disable the vulnerable theme if it is not currently active, ensure WordPress and all plugins are up to date to reduce lateral risk, and implement Web Application Firewall (WAF) rules to detect and block common XSS payloads if the theme is exposed to untrusted user input. Additionally, review recent access logs for exploitation attempts using URL-encoded or obfuscated script tags in query parameters.

Share

EUVD-2026-15636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy