Skip to main content

Yobazar EUVDEUVD-2026-15675

| CVE-2026-25356 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-2hhr-933m-5jmg
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.6.7
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15675
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Yobazar yobazar allows Reflected XSS.This issue affects Yobazar: from n/a through < 1.6.7.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Skygroup Yobazar WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Yobazar versions prior to 1.6.7 and allows attackers to inject malicious scripts that execute in the browsers of users who visit crafted URLs. The vulnerability has been reported by Patchstack and is classified as CWE-79; while no CVSS score or EPSS data is currently available, the reflected XSS vector typically enables session hijacking, credential theft, and malware distribution.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a fundamental input validation flaw common in web applications and content management system themes. The Yobazar theme, identified via CPE cpe:2.3:a:skygroup:yobazar:*:*:*:*:*:*:*:*, fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. Reflected XSS occurs when an application takes user input (typically via query parameters or form submissions) and directly echoes it back in the HTML response without encoding, allowing browsers to interpret malicious script tags as legitimate code. This is distinct from stored XSS as the payload is not persisted in a database, but the attack surface remains significant in WordPress themes, which often handle URL parameters for customization and filtering.

RemediationAI

The primary remediation is to upgrade the Yobazar theme to version 1.6.7 or later, which patches the reflected XSS vulnerability. Site administrators should access the WordPress dashboard, navigate to Appearance > Themes, and update Yobazar to the latest available version (confirm via the official theme repository or Patchstack advisory). Until patching is completed, temporary mitigations include enabling WordPress security plugins that filter malicious URL parameters, implementing a Web Application Firewall (WAF) rule to detect and block common XSS payloads in query strings, and restricting theme functionality to trusted users only. Additionally, apply the principle of least privilege to user roles and educate site administrators to avoid clicking suspicious links or sharing theme-based URLs from untrusted sources.

Share

EUVD-2026-15675 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy