Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Loobek loobek allows Reflected XSS.This issue affects Loobek: from n/a through < 1.5.2.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Loobek theme (CWE-79: Improper Neutralization of Input During Web Page Generation) that allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects Loobek versions prior to 1.5.2, as documented by Patchstack and tracked under ENISA EUVD ID EUVD-2026-15664. An attacker can craft a malicious URL containing unescaped input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser context, potentially leading to session hijacking, credential theft, or malware distribution.
Technical ContextAI
The vulnerability resides in the Loobek theme (cpe:2.3:a:skygroup:loobek:*:*:*:*:*:*:*:*), a WordPress theme component developed by skygroup. The root cause is CWE-79, which describes the failure to neutralize user-supplied input before it is output into dynamically generated web pages. In the context of a WordPress theme, this typically occurs when theme functions or template files directly output GET/POST parameters, URL query strings, or referrer headers without proper sanitization, escaping, or validation. The reflected nature of this XSS means the malicious payload is not stored in a database but travels through the URL or request itself, making it dependent on social engineering or link-injection attacks for successful exploitation. The theme's handling of user input in page generation routines—likely in theme hooks, template rendering, or custom shortcode handlers—fails to apply WordPress security functions such as esc_url(), esc_attr(), esc_html(), or wp_kses_post().
RemediationAI
Upgrade the Loobek theme to version 1.5.2 or later immediately. Visit the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Theme/loobek/vulnerability/wordpress-loobek-theme-1-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for detailed patch information and update instructions. For environments where immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block requests containing common XSS payloads in query strings and URL parameters, enforce Content Security Policy (CSP) headers to restrict script execution sources, and educate site administrators and users to avoid clicking on untrusted external links pointing to their own domain. Additionally, ensure all WordPress core files and other plugins are kept up to date, and consider using a security plugin to monitor for suspicious activity and provide additional input validation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15664
GHSA-mj42-5g77-9x8h