Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Code Injection
Action: Apply Patch
AI Analysis

Impact

Improper neutralization of script‑related HTML tags in the Armania theme enables attackers to inject malicious code via shortcodes. This basic XSS flaw allows the execution of arbitrary JavaScript, which could lead to cross‑site scripting attacks against site visitors, session hijacking, content defacement, or credential theft. The weakness is classified as CWE‑80.

Affected Systems

The vulnerability affects all installations of the Kutethemes Armania WordPress theme up to, and including, version 1.4.8. No specific sub‑components are mentioned, so any site running a vulnerable theme version is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would likely involve an attacker crafting a malicious shortcode or input that the theme fails to sanitize, which could be delivered through the content editor or a user‑submitted post, giving the attacker the ability to run JavaScript in the context of site users.

Generated by OpenCVE AI on April 14, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Armania theme to a version newer than 1.4.8 or to a patched release from the vendor.
  • If an upgrade cannot be performed immediately, remove or disable any shortcodes that could trigger the flaw.
  • Keep WordPress core, all plugins, and themes updated to the latest released versions.
  • Apply site‑wide input sanitization or XSS protection plugins to mitigate similar risks.

Generated by OpenCVE AI on April 14, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes armania
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes armania
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Title WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Kutethemes Armania
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.725Z

Reserved: 2026-04-07T10:57:36.650Z

Link: CVE-2026-39626

cve-icon Vulnrichment

Updated: 2026-04-14T14:11:54.461Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:32.937

Modified: 2026-04-29T10:17:32.990

Link: CVE-2026-39626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:23Z

Weaknesses