Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Loobek loobek allows Reflected XSS.This issue affects Loobek: from n/a through < 1.5.2.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Update Theme
AI Analysis

Impact

An improper input sanitization flaw in the Loobek WordPress theme allows attackers to inject arbitrary JavaScript via reflected user input, enabling cross‑site scripting. The flaw occurs whenever the theme outputs unsanitized query parameters or user data directly into the page. Successful exploitation would let an attacker run malicious code in the victim’s browser, potentially stealing authentication cookies, hijacking sessions, or modifying page content.

Affected Systems

The vulnerability is present in all releases of the Loobek theme prior to version 1.5.2, distributed by skygroup. Systems using older versions of the theme, particularly on WordPress installations that have not applied the latest update, are affected.

Risk and Exploitability

The flaw carries a CVSS score of 7.1, indicating a high impact severity. No exploit probability data is available, and the vulnerability is not listed in the CISA KEV catalog. It is likely to be exploited through a standard reflected XSS attack vector, where an attacker crafts a malicious URL or input and lures a user to visit it. The ease of exploitation and potential for session hijacking make it a significant threat.

Generated by OpenCVE AI on March 25, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Loobek theme to version 1.5.2 or later.
  • If an upgrade cannot be performed immediately, apply a Content Security Policy that restricts inline script execution and allows only trusted domains.

Generated by OpenCVE AI on March 25, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup loobek
Wordpress
Wordpress wordpress
Vendors & Products Skygroup
Skygroup loobek
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Loobek loobek allows Reflected XSS.This issue affects Loobek: from n/a through < 1.5.2.
Title WordPress Loobek theme < 1.5.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Skygroup Loobek
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:08.848Z

Reserved: 2026-02-02T12:52:42.958Z

Link: CVE-2026-25349

cve-icon Vulnrichment

Updated: 2026-03-25T20:06:36.910Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:45.627

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:53Z

Weaknesses