Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Handmade Framework handmade-framework allows Reflected XSS.This issue affects Handmade Framework: from n/a through <= 3.9.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Reflected Cross Site Scripting (XSS) flaw caused by the Handmade Framework plugin’s failure to neutralize user‑supplied input during page rendering. An attacker can inject malicious scripts that are reflected back in the browser when the vulnerable page is accessed. This can lead to session hijacking, data theft, or execution of arbitrary actions on behalf of the user, impacting confidentiality, integrity and availability of the web application for any visitor who views the affected page.

Affected Systems

The vulnerability exists in the WordPress "Handmade Framework" plugin provided by G5Theme and affects all releases through version 3.9. Any WordPress site that has this plugin installed and has not been updated beyond 3.9 is susceptible.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity. Because this is a reflected XSS, exploitation requires only a crafted URL or link and does not need privileged access. The attack vector is likely via a browser endpoint that echoes user input, making the flaw easily exploitable by an attacker who convinces a victim user to visit a malicious link. The EPSS score is not available; the vulnerability is not listed in CISA’s KEV catalog, but the high CVSS and open‑web exploitation potential suggest a significant risk.

Generated by OpenCVE AI on March 25, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Handmade Framework plugin to the latest version (>3.9).
  • If an update is not immediately available, ensure that all output from the plugin is properly escaped or sanitized in the theme’s templates.

Generated by OpenCVE AI on March 25, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared G5theme
G5theme handmade Framework
Wordpress
Wordpress wordpress
Vendors & Products G5theme
G5theme handmade Framework
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Handmade Framework handmade-framework allows Reflected XSS.This issue affects Handmade Framework: from n/a through <= 3.9.
Title WordPress Handmade Framework plugin <= 3.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

G5theme Handmade Framework
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:03.741Z

Reserved: 2026-01-07T13:44:43.226Z

Link: CVE-2026-22520

cve-icon Vulnrichment

Updated: 2026-03-25T20:18:15.631Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:34.227

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:16Z

Weaknesses