Skip to main content

Total WordPress Theme EUVDEUVD-2026-26768

| CVE-2026-5077 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-02 Wordfence
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 10:30 vuln.today
EUVD ID Assigned
May 02, 2026 - 10:00 euvd
EUVD-2026-26768
Analysis Generated
May 02, 2026 - 10:00 vuln.today
CVE Published
May 02, 2026 - 09:26 nvd
MEDIUM 5.4

DescriptionCVE.org

The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the malicious post to be published and displayed with a featured image in the Home Page blog section.

AnalysisAI

Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.

Technical ContextAI

The Total theme for WordPress improperly handles the the_title() WordPress function when rendering post titles within HTML attributes in the home blog section template. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic Cross-Site Scripting vulnerability. When post titles containing malicious JavaScript are rendered directly into HTML attributes without proper escaping (such as using esc_attr() in WordPress), the JavaScript payload breaks out of the attribute context and executes as active script. The vulnerability is stored, meaning the payload persists in the WordPress database and executes every time the page is loaded, affecting all site visitors who view the injected post.

RemediationAI

The primary remediation is to update the Total theme to version 2.2.2 or later, which implements proper output escaping for post titles in the home blog section template. Site administrators should navigate to the WordPress admin dashboard, go to Appearance → Themes, locate Total, and click Update if available. For immediate protection before updating, site administrators can restrict contributor access to only trusted users, implement post moderation to review all new posts before publication, or temporarily disable the home page blog section feature if not critical to site functionality. The trade-off of restricting contributor access is reduced editorial workflow flexibility; post moderation adds administrative overhead but preserves functionality. Disabling the blog section is the most restrictive but eliminates the attack surface entirely. Reference the Wordfence advisory and WordPress theme repository changeset for patch details and confirmation of the fix.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-26768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy