Skip to main content

TheFox EUVDEUVD-2026-41336

| CVE-2026-27430 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-2qwh-3hfv-wj79
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Unauthenticated network reflected XSS needing victim click (PR:N/UI:R), script runs in browser context (S:C) with limited confidentiality/integrity impact and no real availability effect (A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:12 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in TheFox <= 3.9.76 versions.

AnalysisAI

Reflected cross-site scripting in the TheFox WordPress theme (versions 3.9.76 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported through Patchstack and scoped to the ThemeForest 'tranmautritam:thefox' theme, the flaw carries a CVSS 3.1 base score of 7.1 driven largely by a changed scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Phish victim to click link
Exploit
Reflected parameter renders unsanitized script
Execution
JavaScript executes in victim browser
Impact
Hijack session or perform actions

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim to interact by clicking or loading an attacker-crafted URL against a site running TheFox 3.9.76 or earlier (UI:R in the CVSS vector), and no authentication is needed by the attacker (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L describes a network-reachable, low-complexity, unauthenticated attack that requires user interaction, with a scope change (S:C) that pushes the score to 7.1 (High) despite only Low impacts to confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a TheFox-powered WordPress site containing a malicious script in a reflected parameter and delivers it to a logged-in administrator via phishing email or a malicious link. When the admin opens the link, the injected JavaScript runs in their authenticated session and can steal cookies, perform actions on their behalf, or attempt to plant a backdoor. …
Remediation No vendor-released patch version was identified in the provided data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/thefox/vulnerability/wordpress-thefox-theme-3-9-76-reflected-cross-site-scripting-xss-vulnerability) and the ThemeForest product page for a release above 3.9.76 and upgrade to it once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using TheFox theme and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy