Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Reebox reebox allows Reflected XSS.This issue affects Reebox: from n/a through < 1.4.8.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Reebox theme contains an improper input neutralization flaw that leads to reflected cross‑site scripting. When an attacker supplies malicious data via query strings or form inputs, the theme echoes that data directly into the page. This allows the attacker to embed and execute arbitrary JavaScript in a victim’s browser, potentially enabling session hijack, defacement, or data theft. The vulnerability carries a CVSS score of 7.1, indicating a high potential impact on confidentiality and integrity for users who view the affected pages.

Affected Systems

Any WordPress site running the skygroup Reebox theme before version 1.4.8 is vulnerable. The issue applies to all installations that have not upgraded the theme to 1.4.8 or newer.

Risk and Exploitability

The CVSS score of 7.1 reflects a serious severity, and although EPSS data is unavailable, the flaw is publicly documented and not listed in CISA’s KEV catalog, suggesting an elevated risk of exploitation. Attackers can exploit the vulnerability via a crafted URL or input that is reflected back to the user; no authentication is required. Successful exploitation results in the attacker gaining the same privileges as the victim within the context of the site.

Generated by OpenCVE AI on March 25, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Reebox theme to version 1.4.8 or later.

Generated by OpenCVE AI on March 25, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup reebox
Wordpress
Wordpress wordpress
Vendors & Products Skygroup
Skygroup reebox
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Reebox reebox allows Reflected XSS.This issue affects Reebox: from n/a through < 1.4.8.
Title WordPress Reebox theme < 1.4.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Skygroup Reebox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:36.756Z

Reserved: 2026-02-02T12:52:48.540Z

Link: CVE-2026-25354

cve-icon Vulnrichment

Updated: 2026-03-25T20:06:04.358Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:46.320

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:49Z

Weaknesses