CVE-2026-27375

Vulnerability

Overview

The Gecko theme for WordPress versions up to and including 1.9.8 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the user's browser.

Exploitation

Details

Exploitation requires user interaction, specifically a privileged user (such as an administrator) to click a crafted link, visit a specially prepared page, or submit a malicious form [1]. The attacker does not need prior authentication to initiate the attack, but the victim must perform the action for the payload to execute. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute in the context of the victim's browser when they visit the affected site, potentially leading to session hijacking, defacement, or theft of sensitive information [1]. The CVSS v3 score of 7.1 (High) reflects the moderate danger and likelihood of exploitation.

Mitigation

Status

As of the publication date, no official patch has been released for the Gecko theme. The Patchstack team has issued a mitigation rule to block attacks until an official fix becomes available and can be safely applied [1]. Users are advised to update the theme as soon as a patched version is released, or to contact their hosting provider for assistance. If immediate action is not possible, implementing the Patchstack rule is recommended to reduce risk [1].