Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through <= 1.0.9.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Script Execution via XSS
Action: Immediate Patch
AI Analysis

Impact

The Uminex theme for WordPress contains a Basic XSS flaw caused by inadequate escaping of script‑related HTML tags. This weakness allows an attacker to embed malicious scripts or shortcodes that execute when the content is rendered, leading to code injection into the site’s front‑end or administrative pages. The consequence can include credential theft, page defacement, or further exploitation of the server.

Affected Systems

WordPress installations that use the kutethemes Uminex theme version 1.0.9 or older are impacted. Versions newer than 1.0.9 are not known to contain this vulnerability.

Risk and Exploitability

The CVSS score of 5.3 signals moderate severity, while the EPSS score of less than 1% indicates a low likelihood of real‑world exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker would exploit this flaw by creating or editing a WordPress post or page that contains a malicious shortcode, causing the script to run in the context of visitors or site administrators.

Generated by OpenCVE AI on April 9, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Uminex theme to a version newer than 1.0.9 if a patch is available.
  • If no update is available, replace the theme with a trusted alternative, or disable shortcode processing to eliminate the XSS surface.

Generated by OpenCVE AI on April 9, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes uminex
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes uminex
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through <= 1.0.9.
Title WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Kutethemes Uminex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.915Z

Reserved: 2026-04-07T10:57:36.651Z

Link: CVE-2026-39629

cve-icon Vulnrichment

Updated: 2026-04-09T18:35:30.503Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:33.340

Modified: 2026-04-24T18:06:24.707

Link: CVE-2026-39629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:53Z

Weaknesses