Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Nooni nooni allows Reflected XSS.This issue affects Nooni: from n/a through < 1.5.1.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (script injection)
Action: Patch Now
AI Analysis

Impact

A reflected XSS flaw in the Nooni WordPress theme allows an attacker to inject malicious scripts into pages that are viewed by other users. When crafted input reaches the theme, the unsanitized data is reflected back into the browser, enabling arbitrary client‑side code execution. This can lead to cookie theft, session hijacking, defacement, and facilitation of further attacks from the victim’s machine.

Affected Systems

The vulnerability exists in the Nooni theme produced by skygroup for WordPress. All releases before 1.5.1 are affected, including earlier unknown versions through 1.5.0. WordPress site administrators who have installed this theme should treat any affected version as risky.

Risk and Exploitability

The CVSS score of 7.1 indicates high impact and reasonable exploitability. No EPSS score is available, and the issue is not listed in the KEV catalog, but reflected XSS is a common attack vector that can be triggered simply by sending a malicious link or form input to any visitor. An attacker does not need authentication or elevated privileges, and the vulnerability is reachable over the public web, making it likely to be leveraged if the theme remains unpatched.

Generated by OpenCVE AI on March 25, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nooni theme to version 1.5.1 or later.
  • Verify that the site is running the patched version.
  • If an upgrade is not immediately possible, disable or remove the Nooni theme until a patch can be applied.
  • Monitor the site for suspicious activity and apply additional input sanitization if applicable.

Generated by OpenCVE AI on March 25, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup nooni
Wordpress
Wordpress wordpress
Vendors & Products Skygroup
Skygroup nooni
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Nooni nooni allows Reflected XSS.This issue affects Nooni: from n/a through < 1.5.1.
Title WordPress Nooni theme < 1.5.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Skygroup Nooni
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:08.960Z

Reserved: 2026-02-02T12:52:42.959Z

Link: CVE-2026-25353

cve-icon Vulnrichment

Updated: 2026-03-25T20:06:10.924Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:46.183

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:49Z

Weaknesses