CVE-2026-10077
YOOtheme Pro < 5.0.35 - Author+ Stored XSS via UIkit Data Attributes
CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th
The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.
| Vendor | unknown |
| Product | yootheme |
| Published | Jul 2, 2026 |
| Last Updated | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown yootheme
Be the first to know when new medium vulnerabilities affecting unknown yootheme are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / yootheme
0 < 5.0.35
References
Credits
Pierre Rudloff WPScan