Description
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via post titles after contributor‑level authentication
Action: Update Theme
AI Analysis

Impact

The Drift WordPress theme allows speakers with Contributor permissions or higher to store arbitrary JavaScript inside blog post titles. Because titles are output without proper escaping, the injected script runs in the browsers of any user who views the affected post, giving attackers a persistent cross‑site scripting vector that can compromise confidentiality, integrity, or availability of user sessions.

Affected Systems

WordPress installations that are using the Drift theme version 1.5.0 or earlier. Any site running the theme with a Contributor or higher role is vulnerable. The issue affects all WordPress sites that have not upgraded beyond v1.5.0.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability, while the EPSS score of less than 1% shows a very low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers need to be logged in with a Contributor account or higher, so the attack vector is authenticated. Once authenticated, an attacker can inject scripts that execute on every page load containing a malicious post title, potentially leading to credential theft or defacement.

Generated by OpenCVE AI on April 22, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Drift theme to the latest version (1.6 or newer) where the title sanitization bug is fixed
  • Remove or manually sanitize all post titles that contain suspicious script tags or JavaScript before updating the theme
  • Limit Contributor accounts to only content that does not allow script injection, or use an additional sanitization plugin to escape output of post titles

Generated by OpenCVE AI on April 22, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Thinkupthemes
Thinkupthemes drift
Wordpress
Wordpress wordpress
Vendors & Products Thinkupthemes
Thinkupthemes drift
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Drift <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Thinkupthemes Drift
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:44.040Z

Reserved: 2025-10-23T16:03:07.181Z

Link: CVE-2025-12116

cve-icon Vulnrichment

Updated: 2026-02-19T17:04:28.620Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:27.323

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses