Astra < 4.12.4 – Contributor+ Stored XSS via Post Meta | CVE 2026-3534 | Theme Vulnerabilities

Description

The theme is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Themes

Fixed in 4.12.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/acf2906b-1ee5-4272-bf6d-36a02023f658

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

at1as

Verified

No

WPVDB ID

4014e2f7-1db9-4ca7-b396-d5e4f12d7a21

Timeline

Publicly Published

2026-03-10 (about 12 days ago)

Added

2026-03-10 (about 12 days ago)

Last Updated

2026-03-10 (about 12 days ago)

Other

Published

Title

Published

2025-02-03

Title

WP doodlez <= 1.0.10 - Unauthenticated Stored Cross-Site Scripting

Published

2026-01-27

Title

Buy Now Plus < 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2023-04-17

Title

Sloth Logo Customizer <= 2.0.2 - Stored XSS via CSRF

Published

2024-12-10

Title

WP Log Action < 0.52 - Reflected XSS

Published

2025-01-22

Title

Toocheke Companion < 1.167 - Authenticated (Admin+) Stored Cross-Site Scripting