Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Sanzo sanzo allows Stored XSS.This issue affects Sanzo: from n/a through < 2.4.3.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting (XSS) that can execute arbitrary script in the context of privileged users on a vulnerable WordPress site
Action: Apply Patch
AI Analysis

Impact

The Sanzo WordPress theme contains a stored cross‑site scripting flaw that permits an attacker to inject HTML or JavaScript into content that is stored by the application and subsequently rendered to visitors. The injected code runs in the browser of every user who views the affected content, allowing attackers to steal session cookies, hijack accounts, deface the site, or run further malicious actions in the victim’s context.

Affected Systems

All installations of the Sanzo theme from skygroup, versions older than 2.4.3, remain vulnerable. The issue applies to any instance where user‑supplied data can be stored and later displayed without proper neutralization.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as medium severity, and the lack of an exploit probability score suggests that actively exploited attacks are not currently documented. It is not listed in the CISA KEV catalog. The vulnerability is a stored XSS; an attacker must first submit malicious input that the theme stores (for example in a post, comment, or theme option) and thereafter any user who loads that content will be exposed. This requires no elevated privileges and can be performed from outside the site, making it relatively easy to exploit with normal web access.

Generated by OpenCVE AI on March 25, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Sanzo theme to version 2.4.3 or later

Generated by OpenCVE AI on March 25, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup sanzo
Wordpress
Wordpress wordpress
Vendors & Products Skygroup
Skygroup sanzo
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Sanzo sanzo allows Stored XSS.This issue affects Sanzo: from n/a through < 2.4.3.
Title WordPress Sanzo theme < 2.4.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Skygroup Sanzo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.117Z

Reserved: 2026-02-02T12:52:48.540Z

Link: CVE-2026-25355

cve-icon Vulnrichment

Updated: 2026-03-25T20:23:06.761Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:46.463

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:48Z

Weaknesses