Description
The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via post titles leading to execution of arbitrary scripts for users who view injected content
Action: Patch
AI Analysis

Impact

The vulnerability exists in the Renden WordPress theme up to version 1.8.1. Insufficient sanitization of the post title field allows an authenticated user with Contributor or higher access to embed arbitrary JavaScript. When a victim views the affected post, the injected script runs in the victim’s browser, enabling phishing, cookie theft, or other client‑side attacks. The weakness is an injection flaw (CWE‑79).

Affected Systems

WordPress installations using the Renden theme, any version up to and including 1.8.1. The product is identified by the CNA as thinkupthemes:Renden; affected users are those who have adopted this theme during that period.

Risk and Exploitability

The CVSS score of 6.4 reflects moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated with at least Contributor privileges to inject the title. Post‑editor input is not sanitized and output is not escaped, providing a straightforward exploitation path once credentials are obtained.

Generated by OpenCVE AI on April 21, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Renden theme to version 1.8.2 or later, if available; if no newer version exists, discontinue use of the theme.
  • Restrict the Contributor role or any role that can edit posts from using JavaScript in titles, or remove contributor capability from the role altogether.
  • Deploy input‑validation and output‑escaping measures (e.g., WordPress sanitize_text_field or wp_kses) to ensure post titles cannot contain executable code.

Generated by OpenCVE AI on April 21, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Thinkupthemes
Thinkupthemes renden
Wordpress
Wordpress wordpress
Vendors & Products Thinkupthemes
Thinkupthemes renden
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Thinkupthemes Renden
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:32.797Z

Reserved: 2025-10-23T16:04:31.602Z

Link: CVE-2025-12117

cve-icon Vulnrichment

Updated: 2026-02-19T17:04:21.520Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:27.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses