Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a through < 6.8.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the ProgressionStudios Vayvo WordPress theme (versions prior to 6.8) that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing unsanitized input and trick users into clicking it, causing arbitrary JavaScript to execute in the victim's browser within the context of the Vayvo-powered site. No CVSS score, EPSS probability, or KEV confirmation is currently available, but the reflected XSS classification and Patchstack reporting indicate this is a known, credible vulnerability with patch availability.
Technical ContextAI
This vulnerability stems from improper input neutralization during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Vayvo WordPress theme (identified via CPE cpe:2.3:a:progressionstudios:vayvo:*:*:*:*:*:*:*:*) fails to adequately sanitize or escape user-supplied input before rendering it in HTML responses. Unlike stored XSS, reflected XSS requires the malicious payload to be transmitted through the HTTP request itself, typically via URL parameters or form submissions. The vulnerability is likely in a theme template file or custom plugin code that directly echoes unvalidated GET or POST parameters without applying WordPress security functions such as esc_attr(), esc_html(), or wp_kses_post().
RemediationAI
Immediately upgrade the Vayvo WordPress theme to version 6.8 or later through the WordPress theme management interface or directly from the vendor. After upgrading, clear browser caches and verify the update via the WordPress admin dashboard. As an interim mitigation for unpatched installations, implement a Web Application Firewall (WAF) rule set to detect and block common XSS payloads in URL parameters, enable Content Security Policy (CSP) headers to restrict inline script execution, and educate users not to click suspicious links from untrusted sources. For detailed patch information and vendor advisory, refer to the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/vayvo-progression/vulnerability/wordpress-vayvo-media-streaming-membership-wordpress-theme-theme-6-8-reflected-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15693
GHSA-7xg6-gw64-jpqc