Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in the ApusTheme Drone WordPress theme enables a reflected cross‑site scripting (XSS) flaw. An attacker can inject malicious JavaScript that is echoed back by the site, potentially allowing theft of cookies, login tokens, or sensitive information from victim browsers.

Affected Systems

All installations of the ApusTheme Drone theme version 1.40 and earlier are vulnerable. This includes any WordPress site that has not upgraded past the 1.40 release.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium to high severity and a possible impact on confidentiality, integrity, and availability of user data. The EPSS score of <1% suggests that exploitation, if it occurs, is unlikely but still feasible. The vulnerability is not listed in CISA’s KEV catalog, underscoring its relatively low exploitation probability under current threat conditions. The likely attack vector is that an attacker can craft a malicious URL or link containing harmful query parameters; a victim who visits the link will trigger the reflected XSS. Based on the description, it is inferred that the vulnerability is exploitable via the web interface alone, without additional access.

Generated by OpenCVE AI on May 2, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ApusTheme Drone WordPress theme to a version above 1.40, as newer releases incorporate the XSS fix.
  • Implement WordPress‑core sanitization functions (e.g., esc_html or wp_kses) for any custom code that outputs user-supplied data to prevent reflected XSS, aligning with CWE‑79 mitigation practices.
  • Apply a Content Security Policy or use a reputable CSP‑plugin to restrict the execution of injected scripts and mitigate the impact of any residual vulnerabilities.

Generated by OpenCVE AI on May 2, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.
Title WordPress Drone theme <= 1.40 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.958Z

Reserved: 2025-06-04T09:41:05.254Z

Link: CVE-2025-49249

cve-icon Vulnrichment

Updated: 2026-01-26T21:59:53.167Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:56.150

Modified: 2026-06-17T09:30:58.697

Link: CVE-2025-49249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')