CVE-2026-27348
Received Received - Intake
DOM-Based XSS in ThemeGoods Photography ≀ 7.6.1 Allows Script Injection

Publication date: 2026-03-05

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Photography photography allows DOM-Based XSS.This issue affects Photography: from n/a through < 7.7.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-04-23
Generated
2026-06-19
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-18
NVD
CVE-2026-27348
EUVD
EUVD-2026-9617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themegoods photography to 7.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27348 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Photography Theme versions up to and including 7.6.1.

This vulnerability allows an attacker to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into a website, which execute when visitors access the site.

It is a DOM-Based XSS issue caused by improper neutralization of input during web page generation.

Impact Analysis

[{'type': 'paragraph', 'content': 'An attacker exploiting this vulnerability can execute malicious scripts on your website, potentially leading to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.'}, {'type': 'paragraph', 'content': "This can compromise the security and integrity of your website and negatively affect your visitors' experience."}, {'type': 'paragraph', 'content': 'Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page, but no authentication is needed to initiate the attack.'}, {'type': 'paragraph', 'content': 'Currently, no official patch is available, but mitigation rules from Patchstack can help block attacks targeting this vulnerability.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': "To mitigate the CVE-2026-27348 vulnerability in the ThemeGoods Photography WordPress theme, users are advised to immediately apply Patchstack's mitigation rule which blocks attacks targeting this flaw."}, {'type': 'paragraph', 'content': 'Since no official patch is currently available, applying this mitigation rule is the recommended immediate step to protect websites until a safe and tested patch is released.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart