๐Ÿ” CVE Alert

CVE-2026-10077

MEDIUM 6.8

YOOtheme Pro < 5.0.35 - Author+ Stored XSS via UIkit Data Attributes

CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.

Vendor unknown
Product yootheme
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for unknown yootheme

Be the first to know when new medium vulnerabilities affecting unknown yootheme are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / yootheme
0 < 5.0.35

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/89877758-50f1-4a4b-a622-e417571a5b14/

Credits

Pierre Rudloff WPScan