Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Nooni nooni allows Reflected XSS.This issue affects Nooni: from n/a through < 1.5.1.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Nooni theme affecting versions prior to 1.5.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, classified as CWE-79. Attackers can craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser when the link is visited, potentially leading to session hijacking, credential theft, or malware distribution.
Technical ContextAI
The Nooni theme (identified via CPE cpe:2.3:a:skygroup:nooni:*:*:*:*:*:*:*:*) is a WordPress theme that fails to properly sanitize and escape user-supplied input before rendering it in HTML responses. This is a classic Reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation), where untrusted data from HTTP request parameters is directly inserted into the page without adequate validation or output encoding. The vulnerability likely affects theme template files that process query parameters, form submissions, or other user-controllable inputs without implementing proper input validation, output encoding, or Content Security Policy (CSP) protections. WordPress themes typically interact with the wp_kses() function for sanitization and esc_html() or similar escaping functions for output, which appear to be missing or improperly applied in affected versions.
RemediationAI
Upgrade the Nooni theme to version 1.5.1 or later immediately. The patch is available through the official WordPress theme repository or the theme vendor's distribution channel. Until patching is completed, website administrators should implement the following compensating controls: enable WordPress security plugins that filter malicious input patterns, implement a Web Application Firewall (WAF) configured to block common XSS payloads in query parameters, enforce a strict Content Security Policy (CSP) header limiting script execution to trusted sources, and disable the vulnerable theme from receiving traffic by temporarily switching to a patched theme. Additionally, audit access logs for signs of XSS exploitation attempts and consider implementing HTTP-only and Secure flags on session cookies to limit exposure if session hijacking is attempted. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/nooni/vulnerability/wordpress-nooni-theme-1-5-1-reflected-cross-site-scripting-xss-vulnerability) for official patch notes and verification of successful remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15669