Skip to main content

Flatsome EUVDEUVD-2026-43374

| CVE-2026-57728 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Reflected XSS is network-reachable with low complexity and no auth but needs a victim click (UI:R); script runs cross-context (S:C) with low C/I and no genuine availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:43 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Reflected XSS.This issue affects Flatsome: from n/a through <= 3.20.5.

AnalysisAI

Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3.20.5) lets a remote attacker inject script that executes in a victim's browser when they click a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1 (scope-changed, low-impact), the flaw requires user interaction but no authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload
Delivery
Deliver link to site admin via phishing
Exploit
Victim clicks and page reflects payload
Execution
Script executes in browser session
Impact
Steal cookies or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to click or load an attacker-crafted URL against a site running Flatsome 3.20.5 or earlier (UI:R in the CVSS vector), so it cannot be triggered zero-click. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network reach, low attack complexity, and no privileges, but exploitation hinges on user interaction (UI:R) - a victim must open an attacker-supplied link - which meaningfully lowers real-world likelihood versus a zero-click flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a Flatsome-powered store containing a malicious script payload in a reflected parameter and delivers it via phishing email, ad, or social message to a logged-in site administrator. When the victim clicks the link, the script executes in their browser under the site's origin, allowing the attacker to steal session cookies, act on the admin's behalf, or redirect to a credential-harvesting page. …
Remediation Upgrade Flatsome to a release later than 3.20.5 as soon as the vendor (UX-themes) publishes a fixed version; the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) is the authoritative reference and will note the patched build - no exact fixed version is confirmed in the provided data, so verify it against the vendor changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations to identify those running Flatsome theme versions 3.20.5 and earlier; take the theme offline or switch to an alternative theme immediately to eliminate attack surface. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy