CVE-2026-10077
Received Received - Intake

Stored XSS in YOOtheme WordPress Theme

Vulnerability report for CVE-2026-10077, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: WPScan

Description

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yootheme yootheme_pro to 5.0.35 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to update the YOOtheme Pro WordPress theme to version 5.0.35 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict the Author role's ability to publish posts or review posts created by Authors for suspicious HTML attributes.

Consider implementing additional filtering or sanitization of post content to prevent the injection of malicious attributes that could lead to stored cross-site scripting.

Executive Summary

The vulnerability exists in YOOtheme Pro WordPress themes before version 5.0.35. It allows users with the Author role to perform stored Cross-Site Scripting (XSS) attacks by injecting malicious JavaScript code into posts.

This happens because the theme's bundled front-end framework treats certain HTML attributes, which are normally allowed by the WordPress function wp_kses_post(), as executable markup. As a result, malicious scripts embedded in these attributes can be stored in the database and executed in the browsers of users who view the affected posts.

  • Users with Author privileges can inject malicious code via specially crafted HTML attributes like data-attrs or data-caption.
  • The injected JavaScript executes when other users view or interact with the post content.

This vulnerability is classified as medium severity with a CVSS score of 6.8 and falls under OWASP Top 10 category A7 (Cross-Site Scripting) and CWE-79.

Impact Analysis

This vulnerability can impact you by allowing attackers with Author-level access to inject malicious JavaScript into posts that will execute in the browsers of any users who view those posts.

  • It can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim user.
  • It undermines the trustworthiness of your website content and can damage your site's reputation.
  • Users interacting with the affected posts may be exposed to malware or phishing attacks.
Detection Guidance

This vulnerability can be detected by inspecting posts created by users with the Author role for the presence of suspicious HTML attributes that are allowed by wp_kses_post() but can be interpreted as executable markup by the YOOtheme Pro front-end framework.

Specifically, look for posts containing attributes such as data-attrs="onload: alert()" or data-caption with embedded script tags that could execute JavaScript.

Commands to detect such malicious content could include searching the WordPress database for posts containing these suspicious attributes. For example, using a MySQL command to search the wp_posts table:

  • SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%data-attrs=%' OR post_content LIKE '%data-caption=%';

Additionally, scanning web traffic or logs for unexpected JavaScript execution triggered by these attributes may help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart