Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kutethemes Boutique kute-boutique allows Reflected XSS.This issue affects Boutique: from n/a through < 2.4.6.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the kutethemes Boutique WordPress theme versions prior to 2.4.6, allowing attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing unsanitized input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser within the context of the affected website. This vulnerability enables session hijacking, credential theft, malware distribution, and defacement of affected e-commerce sites running vulnerable versions of the Boutique theme.
Technical ContextAI
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a root cause category that encompasses failure to properly encode or sanitize user-supplied input before it is rendered in HTML output. The kutethemes Boutique theme (identified via CPE cpe:2.3:a:kutethemes:boutique:*:*:*:*:*:*:*:*) is a WordPress theme used for e-commerce storefronts, and the flaw exists in its page generation logic where reflected parameters are not adequately escaped for HTML context. Reflected XSS vulnerabilities differ from stored XSS in that they require the victim to visit a crafted link; the malicious payload is not persistently stored on the server but is instead reflected directly from the request into the response.
RemediationAI
Immediately upgrade the kutethemes Boutique theme to version 2.4.6 or later, which contains patches for this reflected XSS vulnerability. This patch is available through the WordPress theme repository or directly from kutethemes. If immediate upgrading is not feasible due to compatibility concerns, implement input validation and output encoding at the web server level using a Web Application Firewall (WAF) configured with XSS filtering rules to sanitize reflected parameters. Additionally, enforce Content Security Policy (CSP) headers with strict-origin-when-cross-origin and script-src 'self' directives to mitigate the impact of any injected scripts. For WordPress administrators, ensure all plugins are current, disable untrusted plugins, and consider restricting theme customization options that accept user input. Monitor web server logs for suspicious query strings containing script tags or encoded XSS payloads as a detection measure until patching is complete.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15655
GHSA-cgw4-r4c2-m7c6