Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS over the web (AV:N/AC:L), no auth needed (PR:N) but victim must click (UI:R); script runs in the WordPress session, crossing scope (S:C) with Low C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
AnalysisAI
Reflected cross-site scripting in the Enfold WordPress theme versions up to and including 7.1.4 allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The CVSS scope change (S:C) and Low impact across C/I/A indicate the injected script can affect components beyond the vulnerable theme component, typically the authenticated WordPress session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a target site running the Enfold theme at version 7.1.4 or earlier, (2) the attacker to deliver a crafted URL containing the reflected XSS payload to a victim, and (3) the victim to click that link in a browser - the CVSS UI:R requirement means there is no silent server-side trigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) reflects a typical reflected-XSS profile: network-reachable, low complexity, no authentication, but requires user interaction (clicking a crafted link). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL pointing at a vulnerable Enfold-powered WordPress site with malicious JavaScript embedded in a reflected parameter, then distributes it via phishing email, social media, or a comment on another site. When a logged-in WordPress administrator clicks the link, the payload executes in their browser session and can steal authentication cookies, exfiltrate nonces, perform CSRF-like actions such as creating a new admin user, or inject a persistent backdoor through the theme/plugin editor. |
| Remediation | Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should consult the Patchstack page (https://patchstack.com/database/wordpress/theme/enfold/vulnerability/wordpress-enfold-theme-7-1-4-reflected-cross-site-scripting-xss-vulnerability) and Kriesi/ThemeForest for the next Enfold release above 7.1.4 and upgrade promptly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using Enfold theme and document their versions; contact Enfold vendor support to confirm patch availability and release timeline. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). Rated medium seve
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Re
The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wr
The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kriesi.At E
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-ex
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37494