Impact
An unauthenticated reflected cross‑site scripting vulnerability exists in all Skillate theme releases up to and including 1.2.10. The flaw allows an attacker to insert arbitrary JavaScript that is reflected back to the browser, potentially enabling cookie theft, account hijacking, defacement, or the delivery of additional malware. The vulnerability is identified as CWE‑79 and does not require authentication to exploit.
Affected Systems
WordPress sites that install the Skillate theme version 1.2.10 or earlier, distributed by Themeum, are affected. Any site running this theme without upgrading beyond the listed version is vulnerable.
Risk and Exploitability
The CVSS score of 7.1 indicates a high risk, with no exploit probability listed and the vulnerability not in CISA’s KEV catalog. Because the flaw is unauthenticated, exploitation can be triggered simply by a crafted URL or form input that is reflected, making practical attacks straightforward. The impact depends on the victim’s privileges but can include session hijacking or malicious content injection.
OpenCVE Enrichment