Themes Vulnerabilities

Hester <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Hester theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Themes

hester
No known fix

References

CVE
CVE-2025-26734
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2612dab2-a4fc-4434-a107-f2d28f1a1dc8

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
245a6d4c-a2d9-4204-82b5-fab167b3eb63

Timeline

Publicly Published
2025-03-24 (about 11 months ago)
Added
2025-04-01 (about 11 months ago)
Last Updated
2025-04-01 (about 11 months ago)

Other

Published
Title
Published
2025-02-20
Title
AMO Team Showcase <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via amoteam_skills Shortcode
Published
2025-01-06
Title
Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-27
Title
Nmedia MailChimp <= 5.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2024-07-10
Title
Power BI Embedded for WordPress <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2018-10-26
Title
Flow-Flow Social Stream <= 3.0.71 - Unauthenticated Cross-Site Scripting (XSS)