Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyMedi mymedi allows Reflected XSS.This issue affects MyMedi: from n/a through < 1.7.7.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, allowing reflected cross‑site scripting. This flaw permits an attacker to inject arbitrary JavaScript into pages served by WordPress sites that use the skygroup MyMedi theme. Executed scripts run in the victim’s browser, potentially altering the page display or accessing client‑side data.

Affected Systems

All WordPress sites that have installed the skygroup MyMedi theme prior to version 1.7.7 are impacted. This includes every release from the theme’s earliest available version up to, but not including, 1.7.7. No specific build or deployment details are provided.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is via a crafted URL or form that the theme reflects. Exploitation requires no special privileges and can be carried out by anyone who accesses a malicious link or submits a malicious form.

Generated by OpenCVE AI on March 26, 2026 at 00:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MyMedi theme to version 1.7.7 or later.

Generated by OpenCVE AI on March 26, 2026 at 00:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup mymedi
Wordpress
Wordpress wordpress
Vendors & Products Skygroup
Skygroup mymedi
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyMedi mymedi allows Reflected XSS.This issue affects MyMedi: from n/a through < 1.7.7.
Title WordPress MyMedi theme < 1.7.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Skygroup Mymedi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:08.906Z

Reserved: 2026-02-02T12:52:42.958Z

Link: CVE-2026-25351

cve-icon Vulnrichment

Updated: 2026-03-25T20:06:23.832Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:45.900

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:51Z

Weaknesses