Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution via XSS Shortcodes
Action: Immediate Patch
AI Analysis

Impact

The DukaMarket theme up to version 1.3.0 contains an improper neutralization of script‑related tags. The flaw allows attackers to inject malicious code through the shortcode mechanism. If executed, the injected payload can run arbitrary JavaScript or WordPress shortcodes, potentially giving attackers remote code execution privileges within the affected site.

Affected Systems

All WordPress sites that have installed the Kutethemes DukaMarket theme version 1.3.0 or earlier are vulnerable. Both modern and legacy installations are affected until the theme is upgraded or removed.

Risk and Exploitability

The vulnerability exploits a basic XSS in the theme’s shortcode processing, making it accessible via any content that allows shortcode insertion. Attackers likely need site author or administrator privileges to insert vulnerable content. While the CVSS score is not listed in the data, the nature of arbitrary code execution suggests high severity. EPSS is unavailable, and the flaw is not yet catalogued by CISA KEV, but the potential impact warrants immediate attention.

Generated by OpenCVE AI on April 8, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the DukaMarket theme to a version newer than 1.3.0 if an update is available.
  • If no update exists, remove the theme or replace it with a secure alternative.
  • Restrict or sanitize shortcode input to prevent malicious code execution.
  • Monitor site logs for suspicious activity or unauthorized shortcode usage.
  • Keep WordPress core and other plugins up to date.

Generated by OpenCVE AI on April 8, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes dukamarket
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes dukamarket
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Title WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Kutethemes Dukamarket
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:27.843Z

Reserved: 2026-04-07T10:57:36.651Z

Link: CVE-2026-39628

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:33.210

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:47Z

Weaknesses