Medium severity6.1NVD Advisory· Published Jun 29, 2024· Updated Apr 15, 2026

CVE-2023-4017

Description

The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Goya WordPress theme via 'attra-color', 'attra-size', and 'product-cata' parameters due to insufficient input sanitization; unauthenticated attackers can inject scripts by tricking users.

Vulnerability

Overview

The Goya WordPress theme versions up to and including 1.0.8.7 are affected by a reflected cross-site scripting (XSS) vulnerability. The issue stems from insufficient input sanitization and output escaping in the attra-color, attra-size, and product-cata parameters. This allows unauthenticated attackers to inject arbitrary web scripts into pages [1].

Exploitation

Prerequisites

Exploitation requires no authentication and can be achieved by tricking a user into clicking a crafted link that includes malicious payloads within the vulnerable parameters. The attacker does not need any special network position; a standard HTTP request to the vulnerable site is sufficient [1].

Impact and

Mitigation

Successful exploitation enables an attacker to execute arbitrary JavaScript in the browser of the victim user, potentially leading to session hijacking, credential theft, or defacement. The vulnerability was addressed in Goya theme version 1.0.8.8, as noted in the changelog. Users are strongly advised to update to the latest version to mitigate the risk [1].

References

Changelog – Goya

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Goyainferred
Range: <=1.0.8.7
Package: https://wordpress.org/themes/goya

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000