Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyDecor mydecor allows Reflected XSS.This issue affects MyDecor: from n/a through < 1.5.9.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyDecor WordPress theme affecting versions prior to 1.5.9. An unauthenticated attacker can inject malicious JavaScript code through unvalidated user input parameters in web requests, which is then reflected back to victims in the HTTP response without proper sanitization or encoding. This allows attackers to execute arbitrary JavaScript in a victim's browser within the context of the affected website, potentially leading to session hijacking, credential theft, or malware distribution.
Technical ContextAI
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application flaw where user-supplied input is rendered directly into HTML responses without neutralization. The affected product is the MyDecor WordPress theme (CPE: cpe:2.3:a:skygroup:mydecor:*:*:*:*:*:*:*:*), which is a server-side component that generates dynamic web pages. The root cause involves the theme's PHP code failing to properly sanitize or HTML-encode GET/POST parameters before embedding them into page output. Since this is a reflected XSS vulnerability (not stored), the payload must be crafted into a malicious URL and delivered to the victim, making it dependent on social engineering rather than persistent infection.
RemediationAI
Users should immediately upgrade the MyDecor theme to version 1.5.9 or later, which contains the security fix for this reflected XSS vulnerability. The patch is available through the official WordPress theme repository or directly from skygroup. Until patching is feasible, implement input validation and output encoding at the web server level using a Web Application Firewall (WAF) configured with XSS protection rules, disable user input parameters where not necessary, and enforce Content-Security-Policy (CSP) headers to restrict script execution. Additionally, educate end users to avoid clicking on suspicious links containing theme parameters, and monitor access logs for attempts to inject JavaScript payloads. For detailed patch information and verified downloads, consult the Patchstack vulnerability database entry.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15667