Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through < 1.6.29.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in don-themes Riode WordPress theme versions prior to 1.6.29, allowing attackers to inject malicious JavaScript code that executes in users' browsers when they click on crafted links. This CWE-79 vulnerability affects the Riode multi-purpose WooCommerce theme and enables attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No CVSS score, EPSS data, or formal KEV status is currently available, but the vulnerability was reported by Patchstack with a confirmed patch available in version 1.6.29 and later.
Technical ContextAI
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a failure to properly sanitize or encode user-supplied input before reflecting it in HTML output. In the context of the Riode theme (CPE cpe:2.3:a:don-themes:riode:*:*:*:*:*:*:*:*), this likely occurs in a web parameter or query string that is echoed back in the HTTP response without adequate HTML entity encoding or input validation. Reflected XSS vulnerabilities in WordPress themes typically manifest in search parameters, filtering options, pagination, or other user-interactive features that dynamically generate page content. The attacker exploits the theme's failure to apply functions like esc_attr(), esc_html(), or wp_kses_post() to neutralize potentially dangerous input, allowing script tags or event handlers to be injected into the DOM.
RemediationAI
Immediately upgrade the don-themes Riode theme to version 1.6.29 or later, which contains the security patch. Site administrators should navigate to WordPress Dashboard > Appearance > Themes, locate the Riode theme, and apply the available update. For detailed remediation guidance, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Theme/riode/vulnerability/wordpress-riode-multi-purpose-woocommerce-theme-1-6-29-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Until patching is completed, implement Web Application Firewall (WAF) rules to block requests containing common XSS payloads and ensure Content Security Policy (CSP) headers are configured to restrict script execution. Additionally, educate users to avoid clicking on suspicious links pointing to your Riode-powered site, and monitor for unusual activity in access logs that may indicate exploitation attempts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15895
GHSA-hrxq-w74h-58w2