{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25442", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:40.964Z", "datePublished": "2026-03-19T08:35:29.071Z", "dateUpdated": "2026-03-19T13:08:35.541Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:35:29.071Z"}, "title": "WordPress Kentha theme <= 4.7.2 - Reflected Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "affected": [{"vendor": "QantumThemes", "product": "Kentha", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "4.7.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.This issue affects Kentha: from n/a through 4.7.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.<p>This issue affects Kentha: from n/a through 4.7.2.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/kentha/vulnerability/wordpress-kentha-theme-4-7-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}}], "credits": [{"lang": "en", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:08:25.570271Z", "id": "CVE-2026-25442", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:08:35.541Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25442", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:08:25.570271Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:08:30.872Z"}}], "cna": {"title": "WordPress Kentha theme <= 4.7.2 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QantumThemes", "product": "Kentha", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "4.7.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/kentha/vulnerability/wordpress-kentha-theme-4-7-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.This issue affects Kentha: from n/a through 4.7.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.<p>This issue affects Kentha: from n/a through 4.7.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:35:29.071Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25442", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:08:35.541Z", "dateReserved": "2026-02-02T12:53:40.964Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:35:29.071Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha allows Reflected XSS.This issue affects Kentha: from n/a through 4.7.2."}], "id": "CVE-2026-25442", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:17.290", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/theme/kentha/vulnerability/wordpress-kentha-theme-4-7-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.7.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "kentha", "vendor": "qantumthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T09:50:35.204641+00:00", "value": {"mitigation_remediation": ["Verify the current Kentha theme version installed to determine exposure.", "Upgrade the Kentha theme to a non\u2011vulnerable version as soon as QantumThemes releases a fix.", "Regularly check the vendor\u2019s website or support portal for the latest theme updates and apply the patch as soon as it becomes available.", "If a patch is not yet available, implement temporary defenses such as a web\u2011application firewall or Content\u2011Security\u2011Policy rules that filter or block suspicious script payloads."], "summary": {"action": "Patch Theme", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue applies to any installation of the Kentha theme version up to and including 4.7.2 (the range is noted as \u2018n/a through 4.7.2\u2019, so all releases before or equal to 4.7.2 are considered vulnerable). Any WordPress site that uses this theme is at risk; no other components are listed as affected.", "description_and_impact": "This vulnerability is an Improper Neutralization of Input During Web Page Generation that results in a reflected Cross\u2011Site Scripting (XSS) flaw in the QantumThemes Kentha WordPress theme. The flaw arises because user\u2011supplied data is rendered without proper escaping, allowing an attacker to embed malicious JavaScript. When an affected user visits a crafted URL or interacts with a contaminated form, the injected script executes in their browser, potentially hijacking sessions, stealing cookies, defacing content, or redirecting to phishing sites. The impact is confined to the victim\u2019s browser session and does not give the attacker system\u2011level privileges.", "risk_and_exploitability": "The CVSS base score of 7.1 classifies the flaw as High severity. An EPSS score is not available, so the current exploit probability is unknown, and it is not catalogued in CISA\u2019s KEV list. Exploitation requires only the delivery of crafted input via a web page, which a malicious host can provide trivially, without any privilege escalation. The likely attack vector is web\u2011based and can be triggered by a visitor simply clicking a manipulated link or loading a malicious form."}}}}, "created": "2026-03-20T08:57:04.916394+00:00", "updated": "2026-03-20T14:15:19.855953+00:00", "vendors": ["qantumthemes", "qantumthemes$PRODUCT$kentha", "wordpress", "wordpress$PRODUCT$wordpress"]}