Medium severity6.1NVD Advisory· Published May 22, 2016· Updated Jun 17, 2026
CVE-2016-1564
CVE-2016-1564
Description
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=4.4.0
- (no CPE)range: <4.4.1
Patches
Vulnerability mechanics
References
8- codex.wordpress.org/Version_4.4.1nvdPatchVendor Advisory
- wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/nvdPatchVendor Advisory
- twitter.com/brutelogic/statuses/685105483397619713nvdExploit
- www.debian.org/security/2016/dsa-3444nvd
- www.openwall.com/lists/oss-security/2016/01/08/4nvd
- www.securitytracker.com/id/1034622nvd
- core.trac.wordpress.org/changeset/36185nvd
- wpvulndb.com/vulnerabilities/8358nvd
News mentions
0No linked articles in our index yet.