Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Agrofood agrofood allows Reflected XSS.This issue affects Agrofood: from n/a through < 1.4.0.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected)
Action: Patch immediately
AI Analysis

Impact

The Agrofood WordPress theme fails to neutralise user supplied data when building web pages, creating a reflected cross‑site scripting flaw. An attacker can embed malicious JavaScript into a URL; when a victim opens that link the code runs in the victim’s browser. This client‑side execution can be used to hijack session cookies, deface the site, or perform further attacks on the user’s system.

Affected Systems

WordPress sites that use the Agrofood theme with a version older than 1.4.0 are vulnerable. All releases of the theme before 1.4.0 are affected regardless of minor patch level.

Risk and Exploitability

The vulnerability has a severity score of 7.1, indicating high risk. The likelihood of exploitation is very low, estimated as an exploit probability less than one percent, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. As a reflected XSS, the attack requires a remote attacker to craft a malicious link and a victim to click or visit it, making it a user‑interaction dependent vector. When successful it can enable session takeover, privacy breaches, or the execution of arbitrary client‑side code.

Generated by OpenCVE AI on April 17, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Agrofood theme to version 1.4.0 or newer to remove the flaw.
  • If the update cannot be applied immediately, de‑activate the Agrofood theme or replace it with a trusted alternative until the issue is resolved.
  • Apply proper input validation and output escaping for any user‑supplied content in the site, and configure a strict content security policy to block unexpected script execution.

Generated by OpenCVE AI on April 17, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Skygroup Agrofood allows Reflected XSS.This issue affects Agrofood: from n/a before 1.4.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Agrofood agrofood allows Reflected XSS.This issue affects Agrofood: from n/a through < 1.4.0.
References

Mon, 16 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
References

Mon, 16 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Agrofood agrofood allows Reflected XSS.This issue affects Agrofood: from n/a through <= 1.3.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Skygroup Agrofood allows Reflected XSS.This issue affects Agrofood: from n/a before 1.4.0.
Title WordPress Agrofood theme <= 1.3.0 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Agrofood theme < 1.4.0 - Cross Site Scripting (XSS) vulnerability
References

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Skygroup
Skygroup agrofood
Wordpress
Wordpress wordpress
Vendors & Products Skygroup
Skygroup agrofood
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Agrofood agrofood allows Reflected XSS.This issue affects Agrofood: from n/a through <= 1.3.0.
Title WordPress Agrofood theme <= 1.3.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Skygroup Agrofood
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:01.793Z

Reserved: 2026-02-19T09:51:27.898Z

Link: CVE-2026-27332

cve-icon Vulnrichment

Updated: 2026-03-09T15:40:28.257Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:23.713

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-27332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses