{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39628", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.651Z", "datePublished": "2026-04-08T08:30:27.843Z", "dateUpdated": "2026-04-08T08:30:27.843Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "dukamarket", "product": "DukaMarket", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "1.3.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:35.279Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.<p>This issue affects DukaMarket: from n/a through <= 1.3.0.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:27.843Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/dukamarket/vulnerability/wordpress-dukamarket-theme-1-3-0-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0."}], "id": "CVE-2026-39628", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:33.210", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/dukamarket/vulnerability/wordpress-dukamarket-theme-1-3-0-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.3.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DukaMarket", "source": "cna", "vendor": "kutethemes"}, "product": "dukamarket", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:36:24.832550+00:00", "value": {"mitigation_remediation": ["Update the DukaMarket theme to a version newer than 1.3.0 if an update is available.", "If no update exists, remove the theme or replace it with a secure alternative.", "Restrict or sanitize shortcode input to prevent malicious code execution.", "Monitor site logs for suspicious activity or unauthorized shortcode usage.", "Keep WordPress core and other plugins up to date."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution via XSS Shortcodes"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have installed the Kutethemes DukaMarket theme version 1.3.0 or earlier are vulnerable. Both modern and legacy installations are affected until the theme is upgraded or removed.", "description_and_impact": "The DukaMarket theme up to version 1.3.0 contains an improper neutralization of script\u2011related tags. The flaw allows attackers to inject malicious code through the shortcode mechanism. If executed, the injected payload can run arbitrary JavaScript or WordPress shortcodes, potentially giving attackers remote code execution privileges within the affected site.", "risk_and_exploitability": "The vulnerability exploits a basic XSS in the theme\u2019s shortcode processing, making it accessible via any content that allows shortcode insertion. Attackers likely need site author or administrator privileges to insert vulnerable content. While the CVSS score is not listed in the data, the nature of arbitrary code execution suggests high severity. EPSS is unavailable, and the flaw is not yet catalogued by CISA KEV, but the potential impact warrants immediate attention."}}}}, "created": "2026-04-08T19:29:30.915723+00:00", "updated": "2026-04-08T19:41:47.495204+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$dukamarket", "wordpress", "wordpress$PRODUCT$wordpress"]}