Skip to main content

Riode EUVDEUVD-2026-15895

| CVE-2026-32528 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-hrxq-w74h-58w2
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.6.29
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15895
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through < 1.6.29.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in don-themes Riode WordPress theme versions prior to 1.6.29, allowing attackers to inject malicious JavaScript code that executes in users' browsers when they click on crafted links. This CWE-79 vulnerability affects the Riode multi-purpose WooCommerce theme and enables attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No CVSS score, EPSS data, or formal KEV status is currently available, but the vulnerability was reported by Patchstack with a confirmed patch available in version 1.6.29 and later.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which represents a failure to properly sanitize or encode user-supplied input before reflecting it in HTML output. In the context of the Riode theme (CPE cpe:2.3:a:don-themes:riode:*:*:*:*:*:*:*:*), this likely occurs in a web parameter or query string that is echoed back in the HTTP response without adequate HTML entity encoding or input validation. Reflected XSS vulnerabilities in WordPress themes typically manifest in search parameters, filtering options, pagination, or other user-interactive features that dynamically generate page content. The attacker exploits the theme's failure to apply functions like esc_attr(), esc_html(), or wp_kses_post() to neutralize potentially dangerous input, allowing script tags or event handlers to be injected into the DOM.

RemediationAI

Immediately upgrade the don-themes Riode theme to version 1.6.29 or later, which contains the security patch. Site administrators should navigate to WordPress Dashboard > Appearance > Themes, locate the Riode theme, and apply the available update. For detailed remediation guidance, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Theme/riode/vulnerability/wordpress-riode-multi-purpose-woocommerce-theme-1-6-29-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Until patching is completed, implement Web Application Firewall (WAF) rules to block requests containing common XSS payloads and ensure Content Security Policy (CSP) headers are configured to restrict script execution. Additionally, educate users to avoid clicking on suspicious links pointing to your Riode-powered site, and monitor for unusual activity in access logs that may indicate exploitation attempts.

Share

EUVD-2026-15895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy