CVE-2026-22329: WordPress Skillate theme <= 1.2.10 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Reflected Cross-Site Scripting (XSS) affects the WordPress Skillate theme by Themeum at version 1.2.10 and below. The vulnerability is reachable over the network with no authentication required, but an attacker must trick a victim into clicking a crafted link. Successful exploitation lets an attacker execute arbitrary JavaScript in the victim's browser, enabling session hijacking, page content manipulation, or redirecting the user to a malicious site. No upstream fix has been published yet; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-22329 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle the Skillate theme. Coverage applies to images in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) and weighting the result against each customer environment's compliance policy to surface it at the appropriate severity tier. Routing to the correct team inbox within a customer org is handled automatically based on per-environment policy configuration.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Themeum ships a corrected release. In the meantime, compensating controls such as network-policy isolation of affected workloads are surfaced as recommended actions within the HarborGuard dashboard.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected WordPress site over the network and deliver a crafted URL to a victim.
- AuthenticationNot required
No account or session credential of any kind is needed to craft the malicious payload.
- Victim interactionRequired
The victim must click or follow a specially crafted link, making this a social-engineering-dependent attack.
- Attack complexityDetail
Exploitation is reliable and condition-free once the attacker delivers the link; no race conditions or special environmental state are required.
Blast Radius
- A successful attacker executes arbitrary JavaScript in the victim's browser session on the affected WordPress site.
- The attacker can read the victim's session cookies or authentication tokens and replay them to take over the account.
- The attacker can rewrite visible page content to phish credentials or redirect the victim to an external malicious site.
- Integrity and limited availability of the page are affected, as injected scripts can alter UI state or trigger repeated error conditions for the targeted user.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix for CVE-2026-22329 exists at this time, HarborGuard re-evaluates the Themeum advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment a corrected version of the Skillate theme is published. While no fix is available, HarborGuard can surface compensating-control recommendations including network-policy isolation to restrict unauthenticated external traffic reaching affected WordPress containers, egress filtering to limit what injected scripts can reach from the victim's browser context, and flagging the affected image for manual review in the compliance queue. For customers who opt into auto-remediation, a rebuild, regression-test run, and PR against affected workloads will be initiated automatically once the upstream patch lands, with no manual intervention required.
- Themeum / Skillate≤ 1.2.10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L