{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22469", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:06.688Z", "datePublished": "2026-01-22T16:52:41.116Z", "dateUpdated": "2026-04-28T17:17:26.457Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "deepdigital", "product": "DeepDigital", "vendor": "mwtemplates", "versions": [{"lessThanOrEqual": "1.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:10.861Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.<p>This issue affects DeepDigital: from n/a through <= 1.0.2.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a through <= 1.0.2."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.915Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "title": "WordPress DeepDigital theme <= 1.0.2 - Arbitrary Shortcode Execution vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T19:51:44.030503Z", "id": "CVE-2026-22469", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:17:26.457Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22469", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T19:51:44.030503Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T19:51:31.199Z"}}], "cna": {"title": "WordPress DeepDigital theme <= 1.0.2 - Arbitrary Shortcode Execution vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "mwtemplates", "product": "DeepDigital", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.2"}], "packageName": "deepdigital", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:10.861Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a through <= 1.0.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.<p>This issue affects DeepDigital: from n/a through <= 1.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.915Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22469", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:17:26.457Z", "dateReserved": "2026-01-07T13:44:06.688Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:41.116Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a through <= 1.0.2."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de etiquetas HTML relacionadas con scripts en una p\u00e1gina web (XSS B\u00e1sico) en mwtemplates DeepDigital deepdigital permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a DeepDigital: desde n/a hasta &lt;= 1.0.2."}], "id": "CVE-2026-22469", "lastModified": "2026-04-28T19:36:39.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:35.643", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:53:08.864161+00:00", "value": {"mitigation_remediation": ["Upgrade the DeepDigital theme to any released version beyond 1.0.2 if a patch is available from the vendor.", "If an update is not immediately available, disable or remove the theme\u2019s shortcode functionality or replace it with a vetted alternative that does not process arbitrary shortcodes.", "Apply a web application firewall or security plugin that blocks or sanitizes script\u2011related tags in user input and monitor for unexpected shortcode activity."], "summary": {"action": "Patch Promptly", "impact": "Arbitrary script injection via XSS"}, "threat_synthesis": {"affected_systems": "All sites that use the mwtemplates DeepDigital theme version 1.0.2 or earlier are vulnerable. The issue applies to any installation that has not yet upgraded beyond that release; site administrators should verify the theme version in use.", "description_and_impact": "The DeepDigital WordPress theme contains an improper neutralization of script\u2011related HTML tags that permits attackers to inject malicious code into a page through the theme\u2019s shortcode processing. This results in a Basic XSS flaw, allowing client\u2011side code to be executed when the affected page renders. If an attacker can place malicious shortcode content, browsers will interpret the injected scripts, leading to potential defacement, session hijacking, or other XSS\u2011related compromises. The weakness is identified as CWE\u201180.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1\u202f% demonstrates a very low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via a web interface that accepts user\u2011supplied content, such as the post editor or form submission, where the attacker can embed a malicious shortcode. Successful exploitation would require the ability to insert or modify page content, after which the injected script can run in visitors\u2019 browsers."}}}}, "created": "2026-01-23T16:27:35.052981+00:00", "updated": "2026-04-16T18:00:11.166302+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}