Description
WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject base64-encoded script payloads through the ftc_brand_url input field to execute arbitrary JavaScript when users visit the brand page.
Published: 2026-05-16
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that is triggered when an authenticated user manipulates the Logo URL parameter in the Brand component of the WordPress Theme Wibar. By inserting a base64‑encoded script into the ftc_brand_url input field, attackers can embed arbitrary JavaScript that will execute when users visit the brand page.

Affected Systems

WordPress Theme Wibar version 1.1.8, affecting users with editor, administrator, contributor, and author roles.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity level, and there is no EPSS data available, with the vulnerability not listed in the CISA KEV catalog. Attack requires authenticated privileges; once the script is stored it executes automatically for every visitor to the brand page, creating a persistent threat. The lack of exploitation data means the likelihood of exploitation remains uncertain, but the impact is significant for sites using this theme.

Generated by OpenCVE AI on May 16, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the WordPress Theme Wibar that includes the fix for the brand component
  • Restrict the ability to edit the Brand component to administrators only, disabling editor, contributor, and author roles
  • Sanitize the ftc_brand_url field to reject HTML or JavaScript content before storage

Generated by OpenCVE AI on May 16, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject base64-encoded script payloads through the ftc_brand_url input field to execute arbitrary JavaScript when users visit the brand page.
Title WordPress Theme Wibar 1.1.8 Stored Cross-Site Scripting via Brand Component
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:52.200Z

Reserved: 2026-05-15T14:14:04.027Z

Link: CVE-2020-37235

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:19.570

Modified: 2026-05-16T16:16:19.570

Link: CVE-2020-37235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:00:13Z

Weaknesses