Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Yobazar yobazar allows Reflected XSS.This issue affects Yobazar: from n/a through < 1.6.7.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Skygroup Yobazar WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Yobazar versions prior to 1.6.7 and allows attackers to inject malicious scripts that execute in the browsers of users who visit crafted URLs. The vulnerability has been reported by Patchstack and is classified as CWE-79; while no CVSS score or EPSS data is currently available, the reflected XSS vector typically enables session hijacking, credential theft, and malware distribution.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental input validation flaw common in web applications and content management system themes. The Yobazar theme, identified via CPE cpe:2.3:a:skygroup:yobazar:*:*:*:*:*:*:*:*, fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. Reflected XSS occurs when an application takes user input (typically via query parameters or form submissions) and directly echoes it back in the HTML response without encoding, allowing browsers to interpret malicious script tags as legitimate code. This is distinct from stored XSS as the payload is not persisted in a database, but the attack surface remains significant in WordPress themes, which often handle URL parameters for customization and filtering.
RemediationAI
The primary remediation is to upgrade the Yobazar theme to version 1.6.7 or later, which patches the reflected XSS vulnerability. Site administrators should access the WordPress dashboard, navigate to Appearance > Themes, and update Yobazar to the latest available version (confirm via the official theme repository or Patchstack advisory). Until patching is completed, temporary mitigations include enabling WordPress security plugins that filter malicious URL parameters, implementing a Web Application Firewall (WAF) rule to detect and block common XSS payloads in query strings, and restricting theme functionality to trusted users only. Additionally, apply the principle of least privilege to user roles and educate site administrators to avoid clicking suspicious links or sharing theme-based URLs from untrusted sources.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15675
GHSA-2hhr-933m-5jmg