Skip to main content

Kids Life Theme EUVDEUVD-2026-41328

| CVE-2026-27402 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-7rxg-r73h-jq37
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated XSS requiring victim interaction (UI:R) with scope change into the browser context and limited low-impact script effects, matching typical reflected theme XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:08 vuln.today
CVE Published
Jul 02, 2026 - 11:14 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Kids Life | Children School WordPress <= 5.2 versions.

AnalysisAI

Reflected/stored cross-site scripting in the DesignThemes 'Kids Life | Children School' WordPress theme (versions 5.2 and earlier) allows unauthenticated remote attackers to inject arbitrary web script that executes in a victim's browser when they interact with a crafted link or input. The CVSS vector (PR:N, UI:R, Scope Changed) indicates no authentication is needed but the victim must be lured into interaction, and the injected script can cross into other security contexts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link with XSS payload
Delivery
Deliver link to site user via phishing
Exploit
Victim clicks and theme reflects payload
Execution
Script executes in browser session
Impact
Steal session cookies or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) but does require victim user interaction (UI:R) - the target must click a crafted link or submit attacker-influenced input that is reflected by the theme, so it cannot be triggered fully autonomously against a passive server. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and internally consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a vulnerable Kids Life site containing a malicious script payload in a reflected parameter, then delivers it to a site visitor or administrator via phishing email or a malicious link. When the victim opens the link, the script executes in their browser session in the site's context - enabling session/cookie theft, redirection, or actions on the victim's behalf. …
Remediation No fixed version number is specified in the provided data, so treat this as 'Patch available per vendor advisory' and consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/kidslife/vulnerability/wordpress-kids-life-children-school-wordpress-theme-5-2-cross-site-scripting-xss-vulnerability) and the DesignThemes changelog for a release above 5.2, upgrading to it once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances using DesignThemes 'Kids Life | Children School' theme, versions 5.2 and earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy