{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39625", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.650Z", "datePublished": "2026-04-08T08:30:27.220Z", "dateUpdated": "2026-04-08T08:30:27.220Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "techone", "product": "TechOne", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "3.0.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:40.190Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes TechOne techone allows Code Injection.<p>This issue affects TechOne: from n/a through <= 3.0.3.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes TechOne techone allows Code Injection.This issue affects TechOne: from n/a through <= 3.0.3."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:27.220Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/techone/vulnerability/wordpress-techone-theme-3-0-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress TechOne theme <= 3.0.3 - Arbitrary Shortcode Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes TechOne techone allows Code Injection.This issue affects TechOne: from n/a through <= 3.0.3."}], "id": "CVE-2026-39625", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:32.807", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/techone/vulnerability/wordpress-techone-theme-3-0-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "TechOne", "source": "cna", "vendor": "kutethemes"}, "product": "techone", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:47:46.042261+00:00", "value": {"mitigation_remediation": ["Upgrade the TechOne theme to version 3.0.4 or later.", "If an upgrade cannot be performed immediately, disable or remove the vulnerable shortcodes or sanitize shortcode output before rendering.", "Restrict the user roles that can create or edit content to limit injection opportunities.", "Keep the WordPress core, the theme, and all plugins up to date."], "summary": {"action": "Immediate Update", "impact": "Cross\u2011Site Scripting (Code Injection)"}, "threat_synthesis": {"affected_systems": "Any WordPress site using the TechOne theme up to and including version 3.0.3 is affected. Versions earlier than the theme\u2019s earliest release are also vulnerable because the issue exists from the start of that theme line.", "description_and_impact": "The kutethemes TechOne WordPress theme contains an improper neutralization of script\u2011related HTML tags that allows attackers to inject arbitrary code through shortcodes. This vulnerability is categorized as a basic cross\u2011site scripting flaw and can be exploited when a user creates or edits content that includes a crafted shortcode containing malicious scripts. The injected scripts execute in the context of site visitors, potentially compromising their accounts or enabling further attacks.", "risk_and_exploitability": "An attacker who can insert or edit content on the site can create a malicious shortcode that includes script tags. Since the theme fails to sanitize these tags, the code runs when the page is viewed. The risk is high because all authenticated content editors can create such content, and the vulnerability does not require advanced technical knowledge. The extent of impact is limited to the users who view the affected content, but compromised visitors could be tricked into revealing credentials or performing actions on the site. No publicly available exploits are documented, but the inherent ease of crafting a shortcut makes the opportunity for exploitation significant."}}}}, "created": "2026-04-08T19:29:34.206934+00:00", "updated": "2026-04-08T19:41:50.688772+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$techone", "wordpress", "wordpress$PRODUCT$wordpress"]}