CVE-2026-3534
Stored XSS in Astra WordPress Theme Post Meta Fields
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| brainstormforce | astra | to 4.12.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Astra theme for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 4.12.3. This vulnerability exists because the theme does not properly sanitize input or escape output for certain post meta fields named `ast-page-background-meta` and `ast-content-background-meta`. Specifically, the function `astra_get_responsive_background_obj()` fails to escape four CSS-related sub-properties: background-color, background-image, overlay-color, and overlay-gradient. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts into pages. These scripts will execute whenever any user views the affected page.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject arbitrary JavaScript code into pages via specific post meta fields. The injected scripts execute in the browsers of users who visit those pages, potentially leading to unauthorized actions such as session hijacking, defacement, or theft of sensitive information. Because the vulnerability is a Stored Cross-Site Scripting flaw, the malicious code persists on the site and affects all visitors to the compromised pages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in the Astra WordPress theme up to version 4.12.3. Detection involves identifying posts or pages with malicious scripts injected into these meta fields.
To detect exploitation on your WordPress system, you can query the WordPress database for suspicious content in these meta fields. For example, using MySQL commands to search for script tags or suspicious JavaScript in the `wp_postmeta` table:
- SELECT * FROM wp_postmeta WHERE meta_key IN ('ast-page-background-meta', 'ast-content-background-meta') AND meta_value LIKE '%<script>%';
Additionally, monitoring HTTP traffic for unusual script execution or unexpected JavaScript payloads on pages using the Astra theme may help detect exploitation attempts.
Note that the vulnerability requires authenticated users with Contributor-level access or higher to inject scripts, so reviewing user activity logs for suspicious edits to posts or pages may also assist in detection.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Astra theme to a version later than 4.12.3 where this vulnerability is fixed.
Until an update is applied, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with such access to exploit.
Additionally, consider implementing Web Application Firewall (WAF) rules to block or sanitize suspicious input in the affected meta fields.
Review and sanitize existing post meta data for injected scripts in the `ast-page-background-meta` and `ast-content-background-meta` fields to remove any malicious content.