Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS.

This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the Jthemes Themebox – Digital Products Ecommerce theme allows reflected XSS. An attacker can send a crafted URL or payload that the theme will echo back to the victim’s browser without proper escaping, enabling the execution of arbitrary JavaScript in the user’s session. This can lead to cookie theft, session hijacking, content injection, or defacement of the site, depending on the privileges of the user who opens the link.

Affected Systems

The vulnerability affects the WordPress Themebox – Digital Products Ecommerce theme, versions from the earliest release through 1.4.2. Users of this theme on any WordPress installation are potentially impacted unless the theme has been updated to a later, non‑vulnerable release.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, but no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is reflected, exploitation requires victim interaction with a crafted URL or input, however the broad use of WordPress themes and the ease of creating such payloads make the risk significant for sites that rely on this theme and expose potentially untrusted data on their front‑end. Attackers could leverage the XSS flaw to compromise user sessions, deface pages, or deliver further exploits in the victim’s browser.

Generated by OpenCVE AI on May 27, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Themebox to version 1.4.3 or later to eliminate the reflected XSS flaw.
  • If an immediate update is not feasible, modify the theme’s front‑end templates to escape dynamic data using WordPress functions such as esc_html() or esc_attr() before rendering it.
  • Apply a reputable security plugin that monitors for anomalous query strings and blocks known malicious payloads, and regularly review the theme’s code for any other unsanitized output.

Generated by OpenCVE AI on May 27, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS. This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2.
Title WordPress Themebox - Digital Products Ecommerce theme <= 1.4.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:27:09.900Z

Reserved: 2025-06-19T10:02:55.535Z

Link: CVE-2025-52747

cve-icon Vulnrichment

Updated: 2026-05-27T10:27:05.341Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T09:16:27.493

Modified: 2026-05-27T14:50:47.627

Link: CVE-2025-52747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses