Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection.
This issue affects Nyla: from n/a through 1.7.
AnalysisAI
Basic XSS via arbitrary shortcode execution in the Nyla WordPress theme (versions through 1.7) allows unauthenticated remote attackers to inject script-bearing HTML tags into rendered web pages, resulting in limited confidentiality impact against site visitors. The vulnerability is classified under CWE-80 and was disclosed by Patchstack, who titled the finding 'Arbitrary Shortcode Execution' - indicating that the XSS payload is delivered through unsanitized shortcode rendering rather than a conventional input field. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Technical ContextAI
Nyla is a WordPress theme developed by SpabRice, identified by CPE cpe:2.3:a:spabrice:nyla:*:*:*:*:*:*:*:* and affected through version 1.7. The root cause is CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a form of Basic XSS where script-related HTML constructs - such as <script>, <img onerror=...>, or similar tags - are not properly sanitized before being rendered in the browser. The Patchstack advisory title specifically references 'arbitrary shortcode execution,' which suggests the injection point is WordPress's shortcode processing pipeline: an attacker can supply shortcode input that the theme renders without stripping malicious HTML tags, causing script execution in the visitor's browser context. This is a theme-level vulnerability, meaning it affects any WordPress installation running the Nyla theme regardless of plugin configuration.
RemediationAI
The primary remediation is to update the Nyla WordPress theme to a version beyond 1.7 if a patched release has been issued by SpabRice; however, no specific patched version number is confirmed in the available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/nyla/vulnerability/wordpress-nyla-theme-1-7-arbitrary-shortcode-execution-vulnerability for the latest patch availability and version details. If no patched version is yet available, consider deactivating the Nyla theme and switching to an alternative until a fix is released; this is a significant operational trade-off but eliminates the attack surface entirely. As a partial compensating control, deploying a Web Application Firewall (WAF) with rules targeting script-tag injection in WordPress shortcode parameters can reduce exploitation likelihood, though WAF bypass is possible and this should not be treated as a permanent fix. WordPress administrators should also audit shortcode-accepting inputs site-wide and restrict public submission of shortcode content where possible.
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31803
GHSA-xmff-c6m5-xm5c