Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7.2.
Published: 2026-03-19
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected XSS)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that permits reflected cross‑site scripting. An attacker can supply malicious JavaScript that is echoed back in the page’s HTML, allowing execution in the victim’s browser. This can lead to session hijacking, credential theft, or malicious site manipulation for unsuspecting users browsing the affected WordPress site.

Affected Systems

QantumThemes Kentha WordPress theme versions up to and including 4.7.2 are affected. Any WordPress installation using the Kentha theme within that version range may be vulnerable if the theme’s input handling has not been patched.

Risk and Exploitability

The Exploit Prediction Scoring System indicates a very low exploit probability (<1%), and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, reflected XSS can be invoked through crafted URLs, meaning an active attacker could entice a user to visit a malicious link. The lack of a high CVSS score is offset by the simplicity of the attack vector and the ability to run arbitrary code in the victim’s browser, underscoring the importance of a timely patch.

Generated by OpenCVE AI on April 2, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Kentha theme to the latest available version.
  • If an immediate update is not possible, disable the theme or revert to a previous unaffected version.
  • Consider implementing a Web Application Firewall rule to block scripts in query parameters.

Generated by OpenCVE AI on April 2, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.This issue affects Kentha: from n/a through 4.7.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Qantumthemes
Qantumthemes kentha
Wordpress
Wordpress wordpress
Vendors & Products Qantumthemes
Qantumthemes kentha
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.This issue affects Kentha: from n/a through 4.7.2.
Title WordPress Kentha theme <= 4.7.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Qantumthemes Kentha
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T16:00:42.483Z

Reserved: 2026-02-02T12:53:40.964Z

Link: CVE-2026-25442

cve-icon Vulnrichment

Updated: 2026-03-19T13:08:30.872Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T09:16:17.290

Modified: 2026-04-01T17:28:35.773

Link: CVE-2026-25442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:52Z

Weaknesses