Description
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A contributor‑based cross site scripting (XSS) flaw exists in the Neve PRO WordPress theme (versions up to and including 3.1.2). The vulnerability enables an attacker to inject malicious JavaScript into the theme’s output, which will execute in the browsers of visitors who view the affected content. This can lead to session hijacking, credential theft, defacement, or the delivery of additional malware.

Affected Systems

The affected product is the Neve PRO theme from Themeisle, with all versions up to and including 3.1.2 impacted. Any hosting environment running those versions is susceptible.

Risk and Exploitability

The CVSS v3 score of 6.5 indicates a moderate severity risk. EPSS information is not provided, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely through manipulated content submitted by contributors or users interacting with the theme’s features, which is then rendered without proper sanitization.

Generated by OpenCVE AI on June 26, 2026 at 16:58 UTC.

Remediation

Vendor Solution

Update the WordPress Neve PRO Theme to the latest available version (at least 3.1.3).

OpenCVE Recommended Actions

  • Update the Neve PRO theme to version 3.1.3 or later.
  • Remove or disable any unauthenticated or untrusted contributor submissions that may inject code into the theme output.
  • Audit the theme’s files for unexpected JavaScript injections and delete any suspicious code before the next update.

Generated by OpenCVE AI on June 26, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
Title WordPress Neve PRO theme <= 3.1.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:42:20.403Z

Reserved: 2026-06-25T08:03:02.838Z

Link: CVE-2026-57618

cve-icon Vulnrichment

Updated: 2026-06-26T16:42:16.972Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')