Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thebe thebe allows Reflected XSS.This issue affects Thebe: from n/a through <= 1.3.0.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected XSS)
Action: Apply Patch
AI Analysis

Impact

Improper neutralization of user input during page generation allows attackers to inject malicious scripts that are reflected back to a victim’s browser. This reflected XSS flaw can be used to steal session cookies, deface the site, or distribute malware, and it exemplifies the CWE‑79 weakness of input unneutralization.

Affected Systems

The vulnerability impacts the Thebe WordPress theme developed by Forever Pine Tree. All versions from the earliest available up to 1.3.0 are affected. No information is provided for later releases, so site administrators should verify whether newer themes patch this issue.

Risk and Exploitability

The CVSS v3 score of 7.1 indicates moderate to high severity. The EPSS score of <1 % suggests a low probability of widespread exploitation at present. The flaw is not listed in the CISA KEV catalog and no public exploits have been reported. Because reflected XSS can be triggered via crafted URLs handled by the theme, any visitor who follows a malicious link could be compromised. The attack vector is inferred to be through user‑supplied input such as query parameters or request data.

Generated by OpenCVE AI on April 16, 2026 at 12:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Forever Pine Tree or consult their official website to obtain a patched or updated release of the Thebe theme and upgrade as soon as it becomes available.
  • Deploy a web application firewall or a security plugin that filters out malicious script payloads targeting vulnerable parameters.
  • Continuously monitor site traffic and error logs for signs of XSS attempts, and apply any newly released patches or updates as they become available.

Generated by OpenCVE AI on April 16, 2026 at 12:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Foreverpinetree
Foreverpinetree thebe
Wordpress
Wordpress wordpress
Vendors & Products Foreverpinetree
Foreverpinetree thebe
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thebe thebe allows Reflected XSS.This issue affects Thebe: from n/a through <= 1.3.0.
Title WordPress Thebe theme <= 1.3.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Foreverpinetree Thebe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:54.404Z

Reserved: 2026-01-07T13:43:59.552Z

Link: CVE-2026-22455

cve-icon Vulnrichment

Updated: 2026-03-09T16:00:57.919Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:19.840

Modified: 2026-03-09T17:16:16.773

Link: CVE-2026-22455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses