Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Sanzo sanzo allows Stored XSS.This issue affects Sanzo: from n/a through < 2.4.3.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sanzo theme by skygroup, allowing authenticated or unauthenticated attackers to inject malicious scripts that are permanently stored and executed in the context of other users' browsers. This vulnerability affects Sanzo versions prior to 2.4.3 and has been documented by Patchstack as a high-risk input validation failure. Attackers can leverage this to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites.
Technical ContextAI
The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Sanzo is a WordPress theme by skygroup (CPE: cpe:2.3:a:skygroup:sanzo:*:*:*:*:*:*:*:*), and the root cause involves insufficient output encoding or input sanitization in theme template files or user-controlled fields. Unlike reflected XSS, stored XSS persists in the application's database, meaning the malicious payload is executed every time affected content is rendered to any user visiting the site. This is particularly dangerous in WordPress theme contexts where themes directly handle user content rendering without adequate security layers.
RemediationAI
Immediately upgrade the Sanzo theme to version 2.4.3 or later, which contains the necessary input sanitization and output encoding fixes. Upgrade instructions are available via the WordPress theme dashboard or through the vendor's official distribution channels referenced in the Patchstack advisory. Until patching can be completed, implement additional security controls such as enabling WordPress security plugins that provide content security policy (CSP) headers to mitigate XSS impact, restricting theme editor access to trusted administrators only, and disabling user-generated content fields that lack proper sanitization. Regularly review theme code for proper use of WordPress sanitization functions (sanitize_text_field, wp_kses_post) and escaping functions (esc_html, esc_attr, wp_kses_data).
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15673
GHSA-jr46-fhq7-fhhc