Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via shortcode injection
Action: Update Theme
AI Analysis

Impact

The vulnerability arises from improper neutralization of script-related HTML tags in the Kutethemes Armania WordPress theme, allowing attackers to insert and execute custom code within shortcodes. When the theme processes content containing these shortcodes, the malicious code can run with the privileges of the WordPress installation. This flaw gives a malicious actor the ability to manipulate page content, inject scripts, or potentially run arbitrary PHP code, compromising the confidentiality, integrity, and availability of the site.

Affected Systems

All releases of the Kutethemes Armania theme from the first available version through version 1.4.8 are affected. No other vendors or products have been identified as impacted by this vulnerability.

Risk and Exploitability

The CVSS score is not provided, but the nature of the flaw indicates a high severity potential. No EPSS score is available and the vulnerability is not listed in the KEV catalog. The likely attack vector is web-based through content submission; an attacker with the ability to add or edit posts or pages can insert a malicious shortcode that the theme will process and execute. Successful exploitation would grant the attacker control over the WordPress site and its data.

Generated by OpenCVE AI on April 8, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Armania theme to any version newer than 1.4.8 once a patch is released.
  • If an update is not immediately possible, switch the site to a different, trusted theme or disable the current theme.
  • As an interim control, restrict or remove the use of shortcodes that allow user input, and ensure that all content is sanitized.

Generated by OpenCVE AI on April 8, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes armania
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes armania
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Title WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Kutethemes Armania
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:27.418Z

Reserved: 2026-04-07T10:57:36.650Z

Link: CVE-2026-39626

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:32.937

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:49Z

Weaknesses