CVE-2023-3708 - Vulnerability Details

Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00742.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

deothemes

Amela

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.13

Deothemes

MedikAid | Medical Health Care RTL WordPress Theme

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.2

deothemes

Arendelle

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.12

deothemes

Nokke

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2.3

deothemes

Everse

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.8.10

Configuration 1 [-]

OR	cpe:2.3:a:deothemes:amela::::::wordpress::*
	cpe:2.3:a:deothemes:arendelle::::::wordpress::*
	cpe:2.3:a:deothemes:everse::::::wordpress::*
	cpe:2.3:a:deothemes:medikaid::::::wordpress::*
	cpe:2.3:a:deothemes:nokke::::::wordpress::*

No data.

Project Subscriptions

Vendors	Products
Deothemes Subscribe	Amela Subscribe Arendelle Subscribe Everse Subscribe Medikaid Subscribe Nokke Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2023-44343	Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://deothemes.com/changelog/medikaid-changelog/
https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=196755%40nokke&new=196755%40nokke&sfp_email=&sfph_mail=
https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=196756%40arendelle&new=196756%40arendelle&sfp_email=&sfph_mail=
https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=196757%40amela&new=196757%40amela&sfp_email=&sfph_mail=
https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=196758%40everse&new=196758%40everse&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/1b8b0f14-f31a-45cd-bb98-0b717059aa80?source=cve

History

Fri, 10 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 17:00:00 +0000

Type	Values Removed	Values Added
Title		Multiple DeoThemes Themes <= (Various Versions) - Reflected Cross-Site Scripting

Fri, 06 Feb 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Deothemes amela Deothemes arendelle Deothemes everse Deothemes nokke
Weaknesses		CWE-79
CPEs		cpe:2.3:a:deothemes:amela::::::wordpress::* cpe:2.3:a:deothemes:arendelle::::::wordpress::* cpe:2.3:a:deothemes:everse::::::wordpress::* cpe:2.3:a:deothemes:nokke::::::wordpress::*
Vendors & Products		Deothemes amela Deothemes arendelle Deothemes everse Deothemes nokke

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-07-18T02:01:06.298Z

Updated: 2026-04-08T16:38:16.152Z

Reserved: 2023-07-17T12:50:14.331Z

Link: CVE-2023-3708

Vulnrichment

Updated: 2024-08-02T07:01:57.516Z

NVD

Status : Modified

Published: 2023-07-18T03:15:55.897

Modified: 2026-04-08T17:17:00.390

Link: CVE-2023-3708

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object