Skip to main content

Vayvo EUVDEUVD-2026-15693

| CVE-2026-25373 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-7xg6-gw64-jpqc
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
6.8
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15693
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a through < 6.8.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the ProgressionStudios Vayvo WordPress theme (versions prior to 6.8) that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing unsanitized input and trick users into clicking it, causing arbitrary JavaScript to execute in the victim's browser within the context of the Vayvo-powered site. No CVSS score, EPSS probability, or KEV confirmation is currently available, but the reflected XSS classification and Patchstack reporting indicate this is a known, credible vulnerability with patch availability.

Technical ContextAI

This vulnerability stems from improper input neutralization during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Vayvo WordPress theme (identified via CPE cpe:2.3:a:progressionstudios:vayvo:*:*:*:*:*:*:*:*) fails to adequately sanitize or escape user-supplied input before rendering it in HTML responses. Unlike stored XSS, reflected XSS requires the malicious payload to be transmitted through the HTTP request itself, typically via URL parameters or form submissions. The vulnerability is likely in a theme template file or custom plugin code that directly echoes unvalidated GET or POST parameters without applying WordPress security functions such as esc_attr(), esc_html(), or wp_kses_post().

RemediationAI

Immediately upgrade the Vayvo WordPress theme to version 6.8 or later through the WordPress theme management interface or directly from the vendor. After upgrading, clear browser caches and verify the update via the WordPress admin dashboard. As an interim mitigation for unpatched installations, implement a Web Application Firewall (WAF) rule set to detect and block common XSS payloads in URL parameters, enable Content Security Policy (CSP) headers to restrict inline script execution, and educate users not to click suspicious links from untrusted sources. For detailed patch information and vendor advisory, refer to the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/vayvo-progression/vulnerability/wordpress-vayvo-media-streaming-membership-wordpress-theme-theme-6-8-reflected-cross-site-scripting-xss-vulnerability.

Share

EUVD-2026-15693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy