Description
Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unauthenticated reflected cross‑site scripting flaw present in the LMS WordPress theme prior to version 9.8. An attacker can supply crafted input that the theme directly echoes back to the browser, allowing the execution of arbitrary client‑side script. The weakness is a classic input validation flaw (CWE‑79) that compromises the confidentiality, integrity, and availability of users’ browsing sessions.

Affected Systems

The LMS WordPress theme from DesignThemes is affected. Versions up to and including 9.7 are vulnerable; the only publicly documented mitigation is to install a version newer than 9.7. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity. EPSS is not available, so it is unclear how frequently exploitation attempts are observed. The vulnerability is not recorded in CISA’s KEV catalog. The attack vector is inferred to be remote, via a crafted request to the theme’s page, because the flaw is unauthenticated and reflected.

Generated by OpenCVE AI on July 2, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LMS WordPress theme to a version newer than 9.7, if available.
  • If an updated version is not available, de‑activate or remove the LMS theme until a fix is released.
  • Configure the site’s web‑application firewall or input sanitization rules to block reflected script payloads sent to the LMS theme endpoints.

Generated by OpenCVE AI on July 2, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions.
Title WordPress LMS theme <= 9.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:51:33.339Z

Reserved: 2026-02-19T09:52:08.215Z

Link: CVE-2026-27404

cve-icon Vulnrichment

Updated: 2026-07-02T14:51:29.534Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')