Description
Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross Site Scripting flaw that allows an attacker to inject and execute arbitrary JavaScript in the browsers of site visitors. Because the flaw is not limited by authentication or authorization controls, any user who accesses a page containing the vulnerable input can become a victim, potentially leading to session hijacking, credential theft, or defacement. The weakness is a typical input handling issue classified under CWE-79, where the application fails to properly sanitize user supplied data before reflecting it back in an HTML response.

Affected Systems

WordPress sites that have installed the Mythemes my flatonica theme version 0.0.8 or earlier. The issue specifically affects that theme package and is not present in newer releases of the theme.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for this type of vulnerability. The exploit probability (EPSS) is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no widespread public exploitation yet. Attackers can exploit this vector simply by crafting a URL or form input containing malicious script and having unsuspecting users visit the site. Because the flaw is unauthenticated and reflected, it can be triggered without any administrative access, making it a low‑barrier threat for attackers.

Generated by OpenCVE AI on June 18, 2026 at 12:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the my flatonica theme to version 0.0.9 or later to eliminate the reflected XSS flaw
  • If an upgrade is not immediately possible, disable or replace the theme with a secure alternative to prevent exposure
  • Deploy a web application firewall or XSS filtering plugin to block or sanitize malicious input until a patch is applied

Generated by OpenCVE AI on June 18, 2026 at 12:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mythemes
Mythemes my Flatonica
Wordpress
Wordpress wordpress
Vendors & Products Mythemes
Mythemes my Flatonica
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions.
Title WordPress my flatonica theme <= 0.0.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Mythemes My Flatonica
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:32:43.357Z

Reserved: 2024-10-14T10:39:42.935Z

Link: CVE-2024-49269

cve-icon Vulnrichment

Updated: 2026-06-17T13:30:39.658Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:02Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')