{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39629", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.651Z", "datePublished": "2026-04-08T08:30:28.135Z", "dateUpdated": "2026-04-08T08:30:28.135Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "uminex", "product": "Uminex", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "1.0.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:35.978Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.<p>This issue affects Uminex: from n/a through <= 1.0.9.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through <= 1.0.9."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:28.135Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/uminex/vulnerability/wordpress-uminex-theme-1-0-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through <= 1.0.9."}], "id": "CVE-2026-39629", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:33.340", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/uminex/vulnerability/wordpress-uminex-theme-1-0-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Uminex", "source": "cna", "vendor": "kutethemes"}, "product": "uminex", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:35:58.010629+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Uminex theme (1.0.10 or later) or remove the theme entirely if not needed.", "If an upgrade is not immediately possible, disable shortcode processing for untrusted users or whitelist approved shortcodes.", "Use a web application firewall or plugin to block or sanitize script tags and other malicious input."], "summary": {"action": "Immediate Patch", "impact": "Code Injection via Shortcode"}, "threat_synthesis": {"affected_systems": "The Uminex WordPress theme from KuteThemes, version 1.0.9 and all earlier releases, is affected. Any installation that has not upgraded beyond 1.0.9 is vulnerable.", "description_and_impact": "Improper neutralization of script\u2011related HTML tags in the Uminex theme allows an attacker to inject arbitrary code through shortcodes. The injected code can execute JavaScript in the context of visitors to the site, potentially leading to information disclosure, session hijacking, or further exploitation of the victim\u2019s browser. The vulnerability is a form of basic XSS (CWE\u201180) that can be used for malicious script execution and may also enable broader code injection depending on the theme\u2019s handling of the input.", "risk_and_exploitability": "The CVSS details are not provided, but the exploit is likely to be feasible from the web as the vulnerability arises when an attacker can create or modify content that includes a shortcode. No authentication requirement is mentioned, so the risk applies to all content editors or, if a user can insert shortcodes, to any site visitor. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not presently exploited in the wild, but the potential for widespread impact remains because WordPress themes are commonly used."}}}}, "created": "2026-04-08T19:29:29.832168+00:00", "updated": "2026-04-08T19:41:46.517305+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$uminex", "wordpress", "wordpress$PRODUCT$wordpress"]}