CVE-2026-27376

Vulnerability

Overview

CVE-2026-27376 is a reflected Cross-Site Scripting (XSS) vulnerability in the Claue - Clean, Minimal Elementor WooCommerce Theme for WordPress, affecting all versions up to and including 2.2.7. The issue stems from improper neutralization of user-supplied input during web page generation, a classic XSS flaw [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link containing a payload and tricking a privileged user (e.g., an admin) into clicking it. While the attacker can initiate the attack without any privileges, successful exploitation requires the target user to interact with the crafted link, such as clicking or visiting a specially prepared page [1].

Impact

If exploited, the attacker can inject arbitrary HTML and JavaScript into the victim's browser, leading to actions such as redirecting visitors to malicious sites, displaying unwanted ads, or stealing sensitive session data. This can compromise the integrity and confidentiality of the affected website [1].

Mitigation

As of the publication date, no official patch from the theme vendor has been confirmed. However, Patchstack has released a mitigation rule to block attacks until an update is available. Users are strongly advised to update the Claue theme to the latest version as soon as an official fix is released or apply the mitigation provided by Patchstack [1].