Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requiring victim click (UI:R); script executes in site origin yielding scope change with limited C/I/A impact on the victim session.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions.
AnalysisAI
Reflected cross-site scripting in the Skillate WordPress theme versions 1.2.10 and below allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with scope change (S:C), reflecting that the injected script runs in the WordPress site context and can pivot against authenticated users including administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Skillate is a commercial WordPress theme published by Themeum (CPE cpe:2.3:a:themeum:skillate). The CWE-79 classification indicates improper neutralization of input during web page generation, meaning a theme-supplied template or PHP handler echoes attacker-controlled request data (typically GET/POST parameters) into the rendered HTML without contextual encoding or sanitization through WordPress helpers such as esc_html(), esc_attr(), or wp_kses(). Because the payload is reflected rather than stored, exploitation requires the victim to follow a crafted URL, and the script executes under the origin of the WordPress site.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the input data, so site operators should consult the Patchstack entry at https://patchstack.com/database/wordpress/theme/skillate/vulnerability/wordpress-skillate-theme-1-2-10-reflected-cross-site-scripting-xss-vulnerability and upgrade Skillate to any release above 1.2.10 once published by Themeum. Until a fixed version is installed, deploy a WAF rule (Patchstack, Wordfence, or equivalent) to block reflected XSS payloads against the vulnerable theme endpoints, and add a strict Content-Security-Policy that disallows inline scripts to blunt payload execution - noting that CSP may break legitimate theme inline scripts and require tuning. As a high-friction interim step, restrict the affected theme pages to authenticated users via access controls, accepting the trade-off that public-facing pages may become unreachable.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37652