Description
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
Published: 2026-06-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthorized XSS can be triggered by unauthenticated users in Enfold theme 7.1.4 or earlier. A malicious payload injected via reflected input can execute in the context of any site visitor, potentially stealing cookies, hijacking sessions, or defacing the site. This weakness is classified as CWE-79.

Affected Systems

WordPress sites that include the Enfold theme version 7.1.4 or older, as released by Kriesi. The issue affects all builds up to and including 7.1.4 and remains present until the theme is upgraded to at least 7.1.5. No other WordPress core or plugin components are mentioned as impacted.

Risk and Exploitability

The CVSS score of 7.1 signals high severity. The EPSS score of less than 1% indicates that, as of now, the risk of exploitation is low but not negligible, and the vulnerability is not in the CISA KEV catalog. An attacker can exploit this remotely by sending a crafted URL or input from a third‑party site; no prior authentication is required. Mitigation therefore centers on applying the vendor patch and encoding all user‑generated output properly.

Generated by OpenCVE AI on June 17, 2026 at 18:44 UTC.

Remediation

Vendor Solution

Update the WordPress Enfold Theme to the latest available version (at least 7.1.5).


OpenCVE Recommended Actions

  • Apply the latest Enfold theme (7.1.5 or newer) to all WordPress installations that use the theme.
  • Remove any residual copies of Enfold 7.1.4 or earlier from server directories to prevent accidental reuse.
  • Conduct a code review of theme overrides or plugins that output user input, ensuring that all data is correctly sanitized to eliminate XSS vectors.

Generated by OpenCVE AI on June 17, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Kriesi
Kriesi enfold
Wordpress
Wordpress wordpress
Vendors & Products Kriesi
Kriesi enfold
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
Title WordPress Enfold theme <= 7.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Kriesi Enfold
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:37:04.944Z

Reserved: 2026-05-25T22:10:00.865Z

Link: CVE-2026-48869

cve-icon Vulnrichment

Updated: 2026-06-17T10:36:59.150Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:45:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')