Skip to main content

Mydecor EUVDEUVD-2026-15667

| CVE-2026-25352 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.9
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15667
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyDecor mydecor allows Reflected XSS.This issue affects MyDecor: from n/a through < 1.5.9.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyDecor WordPress theme affecting versions prior to 1.5.9. An unauthenticated attacker can inject malicious JavaScript code through unvalidated user input parameters in web requests, which is then reflected back to victims in the HTTP response without proper sanitization or encoding. This allows attackers to execute arbitrary JavaScript in a victim's browser within the context of the affected website, potentially leading to session hijacking, credential theft, or malware distribution.

Technical ContextAI

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application flaw where user-supplied input is rendered directly into HTML responses without neutralization. The affected product is the MyDecor WordPress theme (CPE: cpe:2.3:a:skygroup:mydecor:*:*:*:*:*:*:*:*), which is a server-side component that generates dynamic web pages. The root cause involves the theme's PHP code failing to properly sanitize or HTML-encode GET/POST parameters before embedding them into page output. Since this is a reflected XSS vulnerability (not stored), the payload must be crafted into a malicious URL and delivered to the victim, making it dependent on social engineering rather than persistent infection.

RemediationAI

Users should immediately upgrade the MyDecor theme to version 1.5.9 or later, which contains the security fix for this reflected XSS vulnerability. The patch is available through the official WordPress theme repository or directly from skygroup. Until patching is feasible, implement input validation and output encoding at the web server level using a Web Application Firewall (WAF) configured with XSS protection rules, disable user input parameters where not necessary, and enforce Content-Security-Policy (CSP) headers to restrict script execution. Additionally, educate end users to avoid clicking on suspicious links containing theme parameters, and monitor access logs for attempts to inject JavaScript payloads. For detailed patch information and verified downloads, consult the Patchstack vulnerability database entry.

Share

EUVD-2026-15667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy