Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Jaroti jaroti allows Reflected XSS.This issue affects Jaroti: from n/a through < 1.4.8.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The Jaroti theme for WordPress contains an improper neutralization of input during web page generation that allows an attacker to inject malicious scripts into a page that is then served to users. This reflected XSS flaw can enable attackers to run arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or defacement of the site. The weakness corresponds to a typical cross‑site scripting flaw (CWE‑79).

Affected Systems

This vulnerability affects the Jaroti theme from skygroup, versions less than 1.4.8. Any installations of the theme running those versions are exposed; newer releases (1.4.8 and later) are not affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. EPSS data is unavailable, and the vulnerability is not listed in CISA's KEV catalogue, suggesting no known widespread exploitation yet. The likely attack vector is a reflected XSS, triggered by a malicious link or crafted URL that a user clicks while the theme is active. The flaw requires the user to visit a page that includes the vulnerable theme; no authentication or privileged access is necessary.

Generated by OpenCVE AI on March 25, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jaroti theme to version 1.4.8 or later
  • If an upgrade is not immediately possible, deactivate the theme to block the attack surface
  • Verify that the updated theme is active and that no legacy files remain
  • Test the website after the update to ensure the XSS vector is fully mitigated

Generated by OpenCVE AI on March 25, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup jaroti
Wordpress
Wordpress wordpress
Vendors & Products Skygroup
Skygroup jaroti
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Jaroti jaroti allows Reflected XSS.This issue affects Jaroti: from n/a through < 1.4.8.
Title WordPress Jaroti theme < 1.4.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Skygroup Jaroti
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:38.465Z

Reserved: 2026-02-02T12:20:39.015Z

Link: CVE-2026-25304

cve-icon Vulnrichment

Updated: 2026-03-25T20:17:27.772Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:43.517

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:59Z

Weaknesses