Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thecs thecs allows Reflected XSS.This issue affects Thecs: from n/a through <= 1.4.7.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

Improper neutralization of user input during the generation of web pages, known as reflected cross‑site scripting, is present in the Foreverpinetree Thecs WordPress theme. Because the theme fails to escape data before rendering it, a visitor can cause the theme to inject arbitrary JavaScript into a page. This flaw allows an attacker to execute scripts in the context of any user who views a crafted page that the theme processes.

Affected Systems

The vulnerability is present in all installations of the Foreverpinetree Thecs theme through version 1.4.7 inclusive. Site owners using the theme version 1.4.7 or older are affected.

Risk and Exploitability

With a CVSS base score of 7.1, this flaw is considered of high impact. The EPSS score indicates that exploitation is unlikely at present, with a probability below 1 %. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is client‑side; an attacker can trigger the vulnerability by delivering a crafted URL or form input that the theme displays without proper escaping. Exploitation requires no additional privileges and can affect any visitor who renders the vulnerable page.

Generated by OpenCVE AI on April 17, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for the latest update to the Thecs theme; if one is available, upgrade it to the newest version.
  • If an update is not available or cannot be applied immediately, remove or disable the Thecs theme to eliminate the reflected XSS risk.
  • Configure a strict Content‑Security‑Policy header on the web server to restrict inline script execution, mitigating any residual impact from reflected XSS.

Generated by OpenCVE AI on April 17, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Foreverpinetree
Foreverpinetree thecs
Wordpress
Wordpress wordpress
Vendors & Products Foreverpinetree
Foreverpinetree thecs
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thecs thecs allows Reflected XSS.This issue affects Thecs: from n/a through <= 1.4.7.
Title WordPress Thecs theme <= 1.4.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Foreverpinetree Thecs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:50.963Z

Reserved: 2026-01-07T12:22:12.277Z

Link: CVE-2026-22440

cve-icon Vulnrichment

Updated: 2026-03-09T16:22:12.510Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:18.533

Modified: 2026-03-09T17:16:15.830

Link: CVE-2026-22440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses