Skip to main content

Gaea EUVDEUVD-2026-15880

| CVE-2026-32518 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-fwhh-xq86-2529
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.8
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15880
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imithemes Gaea gaea allows Reflected XSS.This issue affects Gaea: from n/a through < 3.8.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the imithemes Gaea WordPress theme affecting versions prior to 3.8, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score or EPSS data is currently available, and active exploitation status via KEV has not been confirmed, but the XSS classification and public disclosure via Patchstack suggest this represents a moderate to significant risk for WordPress installations using affected Gaea theme versions.

Technical ContextAI

The imithemes Gaea theme (CPE: cpe:2.3:a:imithemes:gaea:*:*:*:*:*:*:*:*) is a WordPress theme that fails to properly sanitize and validate user-supplied input before rendering it in HTML responses. This results in a Reflected XSS vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause is the absence of adequate output encoding or input validation in one or more template files or request handlers within the theme. Reflected XSS vulnerabilities require the victim to click a specially crafted link containing the malicious payload, making them dependent on social engineering but generally easier to exploit than stored variants. WordPress themes are loaded on every page request, making them high-impact targets for XSS exploitation.

RemediationAI

Upgrade the imithemes Gaea theme to version 3.8 or later immediately through the WordPress theme management interface or directly from the theme vendor. This is the primary remediation and should be prioritized. Until patching can be completed, implement Content Security Policy (CSP) headers via WordPress plugins or server configuration to restrict script execution from untrusted sources, enable WordPress security headers (X-Frame-Options, X-Content-Type-Options), and educate site administrators and users against clicking suspicious links from untrusted sources. For high-risk installations, consider temporarily disabling the theme or switching to an alternative until patching is feasible. Verify patching completion by checking the active theme version in the WordPress admin panel under Appearance > Themes.

Share

EUVD-2026-15880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy