Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Code Injection via Shortcode
Action: Patch
AI Analysis

Impact

The flaw is an Improper Neutralization of Script-Related HTML Tags (Basic XSS, CWE-80) that allows a malicious actor to inject arbitrary HTML or JavaScript through the DukaMarket theme’s shortcode system. Attackers can supply a custom shortcode that executes scripts in the visitor’s browser, potentially leading to data theft, defacement, or other browser‑side compromises.

Affected Systems

WordPress sites using the kutethemes DukaMarket theme of version 1.3.0 or earlier are affected. Any installation that has not upgraded past these releases remains vulnerable.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is of moderate severity, but an EPSS score of less than 1% indicates a very low likelihood of real‑world exploitation. The flaw is not listed in CISA’s KEV catalog. Attackers could exploit the vulnerability remotely by submitting a crafted shortcode if such a capability is available on the site; the attack vector is therefore inferred to be remote via the shortcode interface.

Generated by OpenCVE AI on April 14, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WordPress DukaMarket theme to a version newer than 1.3.0
  • Remove or disable any legacy shortcodes that are no longer required
  • Apply stringent input validation or sanitization to any remaining shortcode processing to prevent future injection attempts

Generated by OpenCVE AI on April 14, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes dukamarket
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes dukamarket
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Title WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Kutethemes Dukamarket
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.936Z

Reserved: 2026-04-07T10:57:36.651Z

Link: CVE-2026-39628

cve-icon Vulnrichment

Updated: 2026-04-14T14:11:29.427Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:33.210

Modified: 2026-04-29T10:17:33.330

Link: CVE-2026-39628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:58Z

Weaknesses