CVE-2026-57618
Deferred Deferred - Pending Action
Contributor XSS in Neve PRO <= 3.1.2

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57618
EUVD
EUVD-2026-39741
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
themeisle neve_pro to 3.1.2 (inc)
themeisle neve_pro 3.1.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the Neve PRO Cross Site Scripting (XSS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The WordPress Neve PRO Theme, versions 3.1.2 and below, is vulnerable to a Cross Site Scripting (XSS) attack. This means that attackers can inject malicious scripts into websites using this theme. These scripts can execute unwanted actions such as redirects or displaying advertisements when visitors access the site.

Exploitation requires a privileged user to perform an action like clicking a malicious link or submitting a form. The vulnerability has a CVSS score of 6.5 and was fixed in version 3.1.3.

Impact Analysis

This vulnerability can allow attackers to inject malicious scripts into your website, which may lead to unwanted redirects, display of advertisements, or execution of other harmful HTML payloads when visitors access your site.

Successful exploitation requires a privileged user to interact with a malicious link or form, which could compromise the integrity and user experience of your website.

Detection Guidance

This vulnerability affects WordPress sites using the Neve PRO Theme version 3.1.2 or below. Detection involves verifying the theme version installed on your WordPress site.

You can check the theme version by accessing the WordPress admin dashboard or by running commands on the server hosting the site.

  • Use WP-CLI to check the installed theme version: wp theme list --status=active
  • Manually inspect the style.css file in the theme directory (usually wp-content/themes/neve-pro/) for the version number.

Additionally, monitoring for suspicious script injections or unexpected redirects in web traffic logs may help identify exploitation attempts, but no specific detection commands are provided.

Mitigation Strategies

The primary mitigation step is to update the Neve PRO Theme to version 3.1.3 or later, where this Cross Site Scripting vulnerability has been patched.

Until the update can be applied, restrict privileged user actions that could trigger the vulnerability, such as clicking untrusted links or submitting untrusted forms.

Implement general security best practices such as limiting user privileges, enabling web application firewalls, and monitoring for suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart