Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected XSS)
Action: Patch Now
AI Analysis

Impact

The vulnerability allows an attacker to inject and execute arbitrary client‑side scripts in the browser of any visitor who loads a specially crafted URL or form submission. This can lead to session hijacking, credential theft, defacement or delivery of malware to users, compromising confidentiality and the integrity of the site’s displayed content.

Affected Systems

WordPress sites using the GhostPool Aardvark theme, versions up to and including 4.6.3, are affected. The flaw resides in the theme’s handling of user‑supplied input when generating web pages.

Risk and Exploitability

The CVSS score of 7.1 and an EPSS score of < 1% indicate a high severity but a low probability of widespread exploitation at present. The Aardvark theme is not listed in the CISA KEV catalog. The likely attack vector is via reflected XSS, where an attacker supplies malicious payloads in query parameters or form fields that are reflected back without proper sanitization."

Generated by OpenCVE AI on April 27, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Aardvark theme to the latest release that contains the XSS fix (v4.6.4 or later).
  • Remove any copies of the old theme from staging, backup or cache directories to prevent accidental use.
  • Deploy a strict Content Security Policy that blocks inline scripts and disallows unsafe eval to mitigate any remaining XSS risk.

Generated by OpenCVE AI on April 27, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ghostpool
Ghostpool aardvark
Wordpress
Wordpress wordpress
Vendors & Products Ghostpool
Ghostpool aardvark
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3.
Title WordPress Aardvark theme <= 4.6.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Ghostpool Aardvark
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:46:04.037Z

Reserved: 2025-12-31T20:11:57.533Z

Link: CVE-2025-69296

cve-icon Vulnrichment

Updated: 2026-02-23T21:37:23.289Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:16.247

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses