Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ta2g Tantyyellow allows Reflected XSS.This issue affects Tantyyellow: from n/a through 1.0.0.5.
Published: 2025-03-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is an improper neutralization of input during web page generation, a CWE‑79 vulnerability that allows attackers to inject malicious script into a page that is reflected back to the user. The impact is that an attacker can execute arbitrary client‑side code in the victim’s browser, potentially leading to session hijacking, credential theft, defacement, or the execution of further malicious payloads. The vulnerability is exploitable without additional privileges and can be triggered solely by a crafted URL or form input.

Affected Systems

The affected product is the Tantyyellow WordPress theme by ta2g, versions up to and including 1.0.0.5 are vulnerable. These versions are available as standard theme installations for WordPress sites.

Risk and Exploitability

The CVSS v3 score of 7.1 indicates high severity, but the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploits at this time. The likely attack vector is a reflected XSS scenario where an attacker provides a malicious URL to a victim; the script is executed in the victim’s browser context. Further exploitation would require the victim to accept and run the injected script.

Generated by OpenCVE AI on May 1, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Tantyyellow theme version (>=1.0.0.6) to eliminate the reflected XSS flaw.
  • If an upgrade is not immediately possible, configure input sanitization or content security policy to block execution of untrusted script in user‑supplied fields.
  • Deploy a web application firewall or security plugin to detect and filter reflected XSS payloads before they reach browsers.

Generated by OpenCVE AI on May 1, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8730 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ta2g Tantyyellow allows Reflected XSS.This issue affects Tantyyellow: from n/a through 1.0.0.5.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ta2g Tantyyellow tantyyellow allows Reflected XSS.This issue affects Tantyyellow: from n/a through <= 1.0.0.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ta2g Tantyyellow allows Reflected XSS.This issue affects Tantyyellow: from n/a through 1.0.0.5.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ta2g Tantyyellow allows Reflected XSS.This issue affects Tantyyellow: from n/a through 1.0.0.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ta2g Tantyyellow tantyyellow allows Reflected XSS.This issue affects Tantyyellow: from n/a through <= 1.0.0.5.
References

Mon, 31 Mar 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 11:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ta2g Tantyyellow allows Reflected XSS.This issue affects Tantyyellow: from n/a through 1.0.0.5.
Title WordPress Tantyyellow theme <= 1.0.0.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:27.838Z

Reserved: 2025-01-16T11:33:30.627Z

Link: CVE-2025-23995

cve-icon Vulnrichment

Updated: 2025-03-31T12:09:45.949Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T11:15:38.443

Modified: 2026-04-28T19:29:12.947

Link: CVE-2025-23995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:30:17Z

Weaknesses