Skip to main content

Techone EUVDEUVD-2026-20270

| CVE-2026-39625 MEDIUM
Basic XSS (CWE-80)
2026-04-08 Patchstack GHSA-65jg-j4jj-9wfr
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20270
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes TechOne techone allows Code Injection.This issue affects TechOne: from n/a through <= 3.0.3.

AnalysisAI

Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.

Technical ContextAI

This vulnerability exploits inadequate input sanitization in the TechOne WordPress theme, a content management system extension. The root cause falls under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a foundational XSS classification that occurs when user-supplied input containing HTML script tags is not properly neutralized before being rendered in a web page. WordPress themes are executed server-side but output HTML to browsers; failure to escape or filter script-related tags allows attackers to inject arbitrary JavaScript that executes in victims' browsers. The CPE designation (cpe:2.3:a:kutethemes:techone:*:*:*:*:*:*:*:*) identifies this as a WordPress theme plugin distributed by kutethemes. The vulnerability permits code injection through the theme's template rendering pipeline, likely via shortcode processing or widget content areas that lack proper HTML entity encoding.

RemediationAI

Upgrade kutethemes TechOne theme to a patched version higher than 3.0.3. Immediate patch version availability is not explicitly confirmed in the provided data; users should check the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/techone/vulnerability/wordpress-techone-theme-3-0-3-arbitrary-shortcode-execution-vulnerability and the official NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39625 for confirmed patched version availability and release timing. As an interim workaround, disable or restrict execution of untrusted shortcodes within the theme settings, and ensure WordPress security plugins with XSS filtering are active. Verify through the vendor's release notes or support channels that the installed version post-remediation has been confirmed patched.

Share

EUVD-2026-20270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy