Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.
AnalysisAI
Stored cross-site scripting (XSS) in Themeum Qubely WordPress plugin version 1.8.14 and earlier allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors, compromising session integrity and enabling credential theft or malware distribution. The vulnerability requires administrator authentication and user interaction (UI:R), limiting immediate risk, but stored persistence means injected payloads remain active until remediated. EPSS exploitation probability is extremely low at 0.03%, suggesting minimal real-world targeting despite public disclosure.
Technical ContextAI
Qubely is a WordPress page builder plugin that handles user-supplied input during web page generation without proper sanitization or encoding, allowing attackers to bypass input validation mechanisms. The vulnerability exploits CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of weaknesses where untrusted data is rendered in HTML contexts without neutralization. The affected plugin versions (CPE:a:themeum:qubely:*) fail to escape or validate content at the point of storage or output, enabling stored XSS payloads to persist in the WordPress database and execute within the security context of authenticated users viewing the compromised page.
RemediationAI
Update Themeum Qubely to a version newer than 1.8.14 immediately; consult the plugin's official release page or WordPress.org plugin repository for the latest patched version number. If an immediate upgrade is not possible, restrict administrative and editor access to trusted users only, disable the plugin temporarily, or implement Web Application Firewall (WAF) rules to detect and block stored XSS payloads in Qubely-generated content. Review WordPress user roles and audit recent posts/pages created or modified by high-privilege accounts for suspicious script injections. Additional guidance is available at https://patchstack.com/database/Wordpress/Plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-cross-site-scripting-xss-vulnerability and https://nvd.nist.gov/vuln/detail/CVE-2026-39638.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20296
GHSA-338c-7gw3-rg6c