Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Jannah jannah allows DOM-Based XSS.This issue affects Jannah: from n/a through <= 7.6.0.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TieLabs Jannah WordPress theme up to version 7.6.0 contains a DOM‑Based Cross‑Site Scripting flaw that allows an attacker to inject and execute arbitrary JavaScript in a victim’s browser. By manipulating user‑controllable input such as URLs or form fields, the attacker can run code in the context of the site, potentially hijacking sessions, defacing content or delivering additional payloads.

Affected Systems

Any WordPress installation using the TieLabs Jannah theme version 7.6.0 or earlier is affected. The vulnerability is reported to impact all releases from the earliest known version through 7.6.0.

Risk and Exploitability

The issue is assigned a CVSS score of 7.1 and an EPSS value of less than 1%, indicating a moderate severity but low probability of exploitation in the wild. Because the flaw is DOM‑Based, it requires a victim to visit a crafted page or interact with injected input, and it does not grant the attacker any privileged access on the server. The vulnerability is not listed in the CISA KEV catalog, and no widespread exploitation has been documented to date, yet the potential to affect users who visit malicious pages remains significant.

Generated by OpenCVE AI on April 29, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jannah theme to the latest release that fixes the XSS (at least version 7.6.1).
  • Sanitize or remove any user‑controllable input fields that the theme exposes, ensuring proper HTML encoding before output.
  • Deploy a Content Security Policy that restricts script execution and limits inline scripting to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 29, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress
Vendors & Products Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Jannah jannah allows DOM-Based XSS.This issue affects Jannah: from n/a through <= 7.6.0.
Title WordPress Jannah theme <= 7.6.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Tielabs Jannah
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:24:39.799Z

Reserved: 2025-10-29T03:07:04.007Z

Link: CVE-2025-64207

cve-icon Vulnrichment

Updated: 2025-12-18T19:44:07.100Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:11.147

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:15:09Z

Weaknesses