Skip to main content

Skillate WordPress Theme EUVDEUVD-2026-37652

| CVE-2026-22329 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication but requiring victim click (UI:R); script executes in site origin yielding scope change with limited C/I/A impact on the victim session.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:34 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions.

AnalysisAI

Reflected cross-site scripting in the Skillate WordPress theme versions 1.2.10 and below allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with scope change (S:C), reflecting that the injected script runs in the WordPress site context and can pivot against authenticated users including administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Skillate is a commercial WordPress theme published by Themeum (CPE cpe:2.3:a:themeum:skillate). The CWE-79 classification indicates improper neutralization of input during web page generation, meaning a theme-supplied template or PHP handler echoes attacker-controlled request data (typically GET/POST parameters) into the rendered HTML without contextual encoding or sanitization through WordPress helpers such as esc_html(), esc_attr(), or wp_kses(). Because the payload is reflected rather than stored, exploitation requires the victim to follow a crafted URL, and the script executes under the origin of the WordPress site.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the input data, so site operators should consult the Patchstack entry at https://patchstack.com/database/wordpress/theme/skillate/vulnerability/wordpress-skillate-theme-1-2-10-reflected-cross-site-scripting-xss-vulnerability and upgrade Skillate to any release above 1.2.10 once published by Themeum. Until a fixed version is installed, deploy a WAF rule (Patchstack, Wordfence, or equivalent) to block reflected XSS payloads against the vulnerable theme endpoints, and add a strict Content-Security-Policy that disallows inline scripts to blunt payload execution - noting that CSP may break legitimate theme inline scripts and require tuning. As a high-friction interim step, restrict the affected theme pages to authenticated users via access controls, accepting the trade-off that public-facing pages may become unreachable.

Share

EUVD-2026-37652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy