CVE-2026-39628
Cross-Site Scripting in DukaMarket β€ 1.3.0 Enables Code Injection
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kutethemes | dukmarket | to 1.3.0 (inc) |
| kutethemes | dukamarket | to 1.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated attackers to inject arbitrary content into pages and posts on affected websites using the DukaMarket theme up to version 1.3.0.
To detect this vulnerability on your system, you can attempt to inject simple script-related HTML tags or shortcodes into pages or posts and observe if the input is improperly neutralized, resulting in code injection.
Since no official patch or specific detection commands are provided, manual testing by submitting payloads such as <script>alert(1)</script> or shortcode injections in content fields may help identify if the vulnerability exists.
- Use curl or similar tools to POST content with script tags or shortcodes to the affected site endpoints and check the response or rendered page for execution or inclusion of injected content.
- Example curl command to test injection via POST (replace URL and parameters accordingly):
curl -X POST -d 'post_content=<script>alert(1)</script>' https://yourdukamarketwebsite.com/wp-admin/post.php
Monitor the page rendering to see if the script executes or appears unescaped, indicating vulnerability.
Can you explain this vulnerability to me?
CVE-2026-39628 is a vulnerability in the WordPress DukaMarket Theme versions up to and including 1.3.0 that allows unauthenticated attackers to inject arbitrary content into pages and posts on affected websites.
This vulnerability is caused by improper neutralization of script-related HTML tags, which is a type of basic Cross-Site Scripting (XSS) attack.
Attackers can exploit this flaw to insert malicious or phishing content into the website, potentially affecting visitors.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious or phishing content into your website's pages or posts without authentication.
Such content injection can lead to compromised user trust, potential redirection to malicious sites, or the execution of harmful scripts in visitors' browsers.
However, the vulnerability has a CVSS severity score of 5.3, indicating a low priority threat with limited impact, and it is considered unlikely to be widely exploited.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the affected DukaMarket theme if possible or seeking assistance from hosting providers or web developers.
Since no official patch is currently available beyond version 1.3.0, you may consider using rapid vulnerability mitigation services offered by Patchstack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to inject arbitrary content into pages and posts, potentially enabling malicious or phishing content insertion. Such unauthorized content injection could lead to data integrity and security issues, which may impact compliance with standards like GDPR and HIPAA that require protection of data and prevention of unauthorized access or modification.
However, the provided information does not explicitly describe the direct effects of this vulnerability on compliance with GDPR, HIPAA, or other regulations.