Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through <= 1.0.9.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Code Injection via Shortcode
Action: Immediate Patch
AI Analysis

Impact

Improper neutralization of script‑related HTML tags in the Uminex theme allows an attacker to inject arbitrary code through shortcodes. The injected code can execute JavaScript in the context of visitors to the site, potentially leading to information disclosure, session hijacking, or further exploitation of the victim’s browser. The vulnerability is a form of basic XSS (CWE‑80) that can be used for malicious script execution and may also enable broader code injection depending on the theme’s handling of the input.

Affected Systems

The Uminex WordPress theme from KuteThemes, version 1.0.9 and all earlier releases, is affected. Any installation that has not upgraded beyond 1.0.9 is vulnerable.

Risk and Exploitability

The CVSS details are not provided, but the exploit is likely to be feasible from the web as the vulnerability arises when an attacker can create or modify content that includes a shortcode. No authentication requirement is mentioned, so the risk applies to all content editors or, if a user can insert shortcodes, to any site visitor. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not presently exploited in the wild, but the potential for widespread impact remains because WordPress themes are commonly used.

Generated by OpenCVE AI on April 8, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Uminex theme (1.0.10 or later) or remove the theme entirely if not needed.
  • If an upgrade is not immediately possible, disable shortcode processing for untrusted users or whitelist approved shortcodes.
  • Use a web application firewall or plugin to block or sanitize script tags and other malicious input.

Generated by OpenCVE AI on April 8, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes uminex
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes uminex
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through <= 1.0.9.
Title WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Kutethemes Uminex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:28.135Z

Reserved: 2026-04-07T10:57:36.651Z

Link: CVE-2026-39629

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:33.340

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:46Z

Weaknesses