Themes Vulnerabilities

YOOtheme Pro < 5.0.35 - Author+ Stored XSS via UIkit Data Attributes

Description

The theme does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.

Proof of Concept

Affects Themes

Fixed in 5.0.35

References

Classification

Type
XSS
CWE

Miscellaneous

Original Researcher
Pierre Rudloff
Submitter
Pierre Rudloff
Verified
Yes

Timeline

Publicly Published
2026-06-11 (about 21 days ago)
Added
2026-06-11 (about 20 days ago)
Last Updated
2026-06-11 (about 20 days ago)

Other