Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto starto allows Reflected XSS.This issue affects Starto: from n/a through < 2.2.5.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates from improper neutralization of input during web page generation, enabling a reflected cross‑site scripting condition in the Starto theme. An attacker can embed malicious scripts potentially leading to theft of browser session data, credential hijacking, defacement of the site, or the propagation of malware to visitors.

Affected Systems

The issue affects any installation of ThemeGoods Starto for WordPress versions prior to 2.2.5, namely any Starto theme instance that has not been updated to the minimum patched release. No specific WordPress core versions are cited, but the theme itself is the point of exploitation.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate‑to‑high severity. The EPSS score of less than 1% signifies a very low likelihood of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves crafting a malicious URL or form submission that targets a page rendered by the vulnerable theme; this inference is drawn from the description stating improper neutralization of input. A successful injection could affect any user who visits the compromised page, causing integrity and confidentiality losses. Therefore, while the risk of exploitation is currently low, the potential impact warrants timely remediation.

Generated by OpenCVE AI on April 28, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WordPress Starto theme to at least version 2.2.5 to eliminate the vulnerable code.
  • Remove any legacy theme files from the WordPress installation to ensure no remnants of the pre‑2.2.5 code remain.
  • Apply WordPress’s built‑in escaping functions or enforce a Content Security Policy to mitigate any residual cross‑site scripting vectors.

Generated by OpenCVE AI on April 28, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto allows Reflected XSS.This issue affects Starto: from n/a before 2.2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto starto allows Reflected XSS.This issue affects Starto: from n/a through < 2.2.5.
References

Tue, 07 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto starto allows Reflected XSS.This issue affects Starto: from n/a through <= 2.1.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto allows Reflected XSS.This issue affects Starto: from n/a before 2.2.5.
Title WordPress Starto theme <= 2.1.9 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Starto theme < 2.2.5 - Cross Site Scripting (XSS) vulnerability
References

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods starto
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods starto
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto starto allows Reflected XSS.This issue affects Starto: from n/a through <= 2.1.9.
Title WordPress Starto theme <= 2.1.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themegoods Starto
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:02.134Z

Reserved: 2026-02-19T09:51:41.702Z

Link: CVE-2026-27352

cve-icon Vulnrichment

Updated: 2026-03-06T19:07:11.213Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:25.277

Modified: 2026-04-23T15:37:20.900

Link: CVE-2026-27352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:30:41Z

Weaknesses