CVE-2026-27367

Vulnerability

CVE-2026-27367 is a reflected cross-site scripting (XSS) vulnerability found in the WordPress Musico theme, affecting versions from n/a through 3.4.5. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the response. This issue is classified as High severity with a CVSS v3 score of 7.1 [1].

Exploitation

Exploitation requires user interaction — a privileged user must click a crafted link, visit a maliciously prepared page, or submit a special form. No authentication is needed to trigger the vulnerability, but the victim’s action is part of the attack chain. The advisory notes this type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of sites regardless of their popularity [1].

Impact

If successfully exploited, an attacker can inject payloads such as redirects, advertisements, or other HTML/JavaScript code that executes when visitors access the compromised page. This could lead to defacement, phishing, or further compromise of the victim’s session [1].

Mitigation

The vendor has released version 3.4.5 which resolves the issue. Users are advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until patching is complete [1].