Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Apply Patch
AI Analysis

Impact

A DOM-based cross‑site scripting vulnerability exists in the Soledad theme by PenciDesign; the theme does not properly neutralize user input that is rendered in the web page, so an attacker can inject JavaScript that executes in the victim’s browser. When exploited, the attacker can steal session cookies, deface content, or hijack a user’s session. The flaw is triggered by data that passes through the theme’s generation process and is reflected in the browser.

Affected Systems

All installations of the Soledad theme up to and including version 8.7.2 are affected. The product is the PenciDesign Soledad WordPress theme, and any WordPress site running a vulnerable version remains at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability, and the EPSS score of less than 1% suggests that exploitation is currently unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to visit a page where the theme fails to sanitize input, so the risk is elevated for sites that expose user‑generated content or public widgets powered by the theme.

Generated by OpenCVE AI on April 16, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Soledad theme to a version newer than 8.7.2.
  • If an immediate upgrade is not possible, disable or sanitize any theme options or widgets that accept user input to prevent script injection.
  • Deploy a Web Application Firewall rule to filter or block JavaScript payloads that target the Soledad theme’s rendering paths.

Generated by OpenCVE AI on April 16, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pencidesign
Pencidesign soledad
Wordpress
Wordpress wordpress
Vendors & Products Pencidesign
Pencidesign soledad
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2.
Title WordPress Soledad theme <= 8.7.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Pencidesign Soledad
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:04.052Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27069

cve-icon Vulnrichment

Updated: 2026-02-20T14:55:54.929Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:27.547

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:15:18Z

Weaknesses