Skip to main content

Thefox

2 CVEs product

Monthly

CVE-2026-57684 MEDIUM This Month

TheFox WordPress theme by tranmautritam in versions 3.9.70 and earlier allows a Contributor-level authenticated attacker to inject persistent Cross-Site Scripting payloads into theme-specific input fields, which then execute in the browsers of any user who views the affected content. The Changed Scope (S:C) in the CVSS vector confirms the payload crosses security boundaries into the victim browser context, enabling session token theft, credential harvesting, or unauthorized administrative actions against higher-privileged users such as editors or site admins. No public proof-of-concept and no CISA KEV listing have been identified at time of analysis; the vulnerability was reported and documented by Patchstack.

XSS Thefox
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-27430 HIGH This Week

Reflected cross-site scripting in the TheFox WordPress theme (versions 3.9.76 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported through Patchstack and scoped to the ThemeForest 'tranmautritam:thefox' theme, the flaw carries a CVSS 3.1 base score of 7.1 driven largely by a changed scope. There is no public exploit identified at time of analysis and no CISA KEV listing, so risk hinges on tricking a user into clicking a malicious URL.

XSS Thefox
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

TheFox WordPress theme by tranmautritam in versions 3.9.70 and earlier allows a Contributor-level authenticated attacker to inject persistent Cross-Site Scripting payloads into theme-specific input fields, which then execute in the browsers of any user who views the affected content. The Changed Scope (S:C) in the CVSS vector confirms the payload crosses security boundaries into the victim browser context, enabling session token theft, credential harvesting, or unauthorized administrative actions against higher-privileged users such as editors or site admins. No public proof-of-concept and no CISA KEV listing have been identified at time of analysis; the vulnerability was reported and documented by Patchstack.

XSS Thefox
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the TheFox WordPress theme (versions 3.9.76 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported through Patchstack and scoped to the ThemeForest 'tranmautritam:thefox' theme, the flaw carries a CVSS 3.1 base score of 7.1 driven largely by a changed scope. There is no public exploit identified at time of analysis and no CISA KEV listing, so risk hinges on tricking a user into clicking a malicious URL.

XSS Thefox
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy