CVE-2026-24949
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.7.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOM-based XSS in ThemeGoods PhotoMe WordPress theme up to 5.7.1 allows script injection via improper input sanitization.
The ThemeGoods PhotoMe WordPress theme versions up to and including 5.7.1 contain a DOM-based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing attackers to inject malicious scripts that execute in the context of the victim's browser [1].
Exploitation
Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a crafted link or visiting a specially prepared page. The attack is client-side and does not need authentication against the server directly, but relies on user interaction [1].
Impact
Successful exploitation enables an attacker to inject arbitrary scripts, redirect visitors, display advertisements, or insert other HTML payloads into the site. This can lead to defacement, data theft from authenticated users, or distribution of malware [1].
Mitigation
The vendor has released version 5.7.2 which resolves the vulnerability. Users are strongly advised to update immediately. As a temporary measure, Patchstack offers a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=5.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.