CVE-2026-10077 in yootheme Plugin
Summary
by MITRE • 07/02/2026
The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/02/2026
The vulnerability in the yootheme WordPress theme affects versions prior to 5.0.35 and represents a critical stored cross-site scripting flaw that enables authors to inject malicious code into posts. This security issue stems from improper sanitization of HTML attributes within the theme's front-end framework, which processes certain attributes that wp_kses_post() typically permits but treats as executable markup. The vulnerability specifically targets users with the Author role, who can leverage this weakness to compromise any visitor who views the affected content, making it particularly dangerous in multi-user environments where authors may have elevated privileges.
The technical root cause of this vulnerability lies in the theme's inconsistent handling of HTML attribute processing within its bundled framework. While wp_kses_post() is designed to sanitize user input by allowing only safe HTML elements and attributes, the yootheme theme's implementation fails to properly distinguish between attributes that should be treated as plain text versus those that could execute code. This discrepancy creates a vector where authors can include malicious attributes such as onclick, onerror, or other event handlers that browsers interpret as executable JavaScript when rendered in posts. The framework's failure to properly validate these attributes against the WordPress core sanitization rules results in the persistence of dangerous markup within post content.
The operational impact of this vulnerability extends beyond simple XSS execution as it can enable attackers to perform sophisticated attacks including session hijacking, credential theft, and redirection to malicious sites. When any user views a post containing the maliciously injected HTML attributes, the browser executes the embedded JavaScript code in the context of the victim's session, potentially allowing full compromise of their WordPress account. This stored nature of the vulnerability means that the malicious payload persists until manually removed by administrators, creating a persistent threat vector that can affect multiple users over time. The vulnerability also demonstrates poor input validation practices that violate fundamental security principles and could lead to broader exploitation opportunities.
Mitigation strategies for this vulnerability should focus on immediate theme updates to version 5.0.35 or later, which contain the necessary patches addressing the attribute sanitization issue. Administrators should conduct thorough content audits to identify any posts that may have been compromised, particularly reviewing content created by users with Author roles before the patch was applied. Additionally, implementing proper content security policies and restricting user capabilities through role-based access controls can help minimize potential damage from similar vulnerabilities. This issue aligns with CWE-79 (Cross-Site Scripting) and ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell), as it enables the execution of malicious scripts within victim browsers through improperly sanitized user input, highlighting the importance of maintaining proper HTML sanitization practices in web applications.
The vulnerability demonstrates how front-end framework components can introduce security risks even when backend sanitization appears to be properly implemented. It underscores the need for comprehensive security testing that includes both server-side and client-side validation mechanisms, particularly in themes and plugins that process user-generated content. Organizations should implement regular security assessments of their WordPress installations, focusing on theme and plugin compatibility with core security features, as well as maintaining awareness of security advisories from WordPress core and third-party vendors to ensure timely remediation of similar issues.