Skip to main content

Sanzo EUVDEUVD-2026-15673

| CVE-2026-25355 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-jr46-fhq7-fhhc
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.4.3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15673
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Sanzo sanzo allows Stored XSS.This issue affects Sanzo: from n/a through < 2.4.3.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sanzo theme by skygroup, allowing authenticated or unauthenticated attackers to inject malicious scripts that are permanently stored and executed in the context of other users' browsers. This vulnerability affects Sanzo versions prior to 2.4.3 and has been documented by Patchstack as a high-risk input validation failure. Attackers can leverage this to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites.

Technical ContextAI

The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Sanzo is a WordPress theme by skygroup (CPE: cpe:2.3:a:skygroup:sanzo:*:*:*:*:*:*:*:*), and the root cause involves insufficient output encoding or input sanitization in theme template files or user-controlled fields. Unlike reflected XSS, stored XSS persists in the application's database, meaning the malicious payload is executed every time affected content is rendered to any user visiting the site. This is particularly dangerous in WordPress theme contexts where themes directly handle user content rendering without adequate security layers.

RemediationAI

Immediately upgrade the Sanzo theme to version 2.4.3 or later, which contains the necessary input sanitization and output encoding fixes. Upgrade instructions are available via the WordPress theme dashboard or through the vendor's official distribution channels referenced in the Patchstack advisory. Until patching can be completed, implement additional security controls such as enabling WordPress security plugins that provide content security policy (CSP) headers to mitigate XSS impact, restricting theme editor access to trusted administrators only, and disabling user-generated content fields that lack proper sanitization. Regularly review theme code for proper use of WordPress sanitization functions (sanitize_text_field, wp_kses_post) and escaping functions (esc_html, esc_attr, wp_kses_data).

Share

EUVD-2026-15673 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy