Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS is network-reachable with low complexity and no auth but needs a victim click (UI:R); script runs cross-context (S:C) with low C/I and no genuine availability impact (A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Reflected XSS.This issue affects Flatsome: from n/a through <= 3.20.5.
AnalysisAI
Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3.20.5) lets a remote attacker inject script that executes in a victim's browser when they click a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1 (scope-changed, low-impact), the flaw requires user interaction but no authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to click or load an attacker-crafted URL against a site running Flatsome 3.20.5 or earlier (UI:R in the CVSS vector), so it cannot be triggered zero-click. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network reach, low attack complexity, and no privileges, but exploitation hinges on user interaction (UI:R) - a victim must open an attacker-supplied link - which meaningfully lowers real-world likelihood versus a zero-click flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a Flatsome-powered store containing a malicious script payload in a reflected parameter and delivers it via phishing email, ad, or social message to a logged-in site administrator. When the victim clicks the link, the script executes in their browser under the site's origin, allowing the attacker to steal session cookies, act on the admin's behalf, or redirect to a credential-harvesting page. … |
| Remediation | Upgrade Flatsome to a release later than 3.20.5 as soon as the vendor (UX-themes) publishes a fixed version; the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) is the authoritative reference and will note the patched build - no exact fixed version is confirmed in the provided data, so verify it against the vendor changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations to identify those running Flatsome theme versions 3.20.5 and earlier; take the theme offline or switch to an alternative theme immediately to eliminate attack surface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.17.5.
Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unau
Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Vid
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Insufficient authorization controls in Flatsome theme versions 3.19.6 and earlier allow unauthenticated remote attackers
Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level user
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43374