CVE-2026-28075

What the vulnerability is

CVE-2026-28075 is a reflected cross-site scripting (XSS) vulnerability in the Porto WordPress theme by p-themes. The software fails to properly neutralize user input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript into the response. This issue affects all versions from n/a through 7.6.2 [1].

### How it's exploited To exploit the flaw, an attacker must trick a privileged user—such as an administrator—into interacting with a crafted link, form, or other web element. The attack is reflected, meaning the malicious payload is delivered via a request and executed immediately in the victim's browser session. No direct authentication is required from the attacker, but successful exploitation depends on user interaction [1].

Impact

If exploited, the vulnerability enables an attacker to inject malicious scripts that can perform actions like redirecting visitors, displaying advertisements, or other HTML modifications. This can result in a compromise of the affected site's integrity and user experience, and could be leveraged in mass-exploit campaigns against thousands of websites [1].

Mitigation

Users should immediately update the Porto theme to a version newer than 7.6.2 as soon as an official patch is released. In the interim, Patchstack has issued a mitigation rule to block attacks; site owners unable to update should consult their hosting provider or web developer for assistance [1].