Themes Vulnerabilities
YOOtheme Pro < 5.0.35 - Author+ Stored XSS via UIkit Data Attributes
Description
The theme does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.
Proof of Concept
Affects Themes
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Pierre Rudloff
Submitter
Pierre Rudloff
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-11 (about 21 days ago)
Added
2026-06-11 (about 20 days ago)
Last Updated
2026-06-11 (about 20 days ago)