PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48869 Kriesi CVE debrief

CVE-2026-48869 is a high-severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Enfold theme versions <= 7.1.4. The vulnerability has a CVSS score of 7.1 and was published on 2026-06-17. Users of affected versions should apply patches immediately. The vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. This issue requires no user interaction to exploit. Successful exploitation could lead to unauthorized actions on behalf of the user. Administrators should prioritize updating to a patched version. The CVE record and NVD detail provide additional information.

Vendor
Kriesi
Product
Enfold
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and users of the Enfold theme version <= 7.1.4 should be aware of this vulnerability. Web application security teams and developers using this theme should prioritize patching.

Technical summary

CVE-2026-48869 is a high-severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Enfold theme versions <= 7.1.4. It has a CVSS score of 7.1 and CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79. The exploit requires no authentication and low attack complexity.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates to Enfold theme versions <= 7.1.4 immediately.
  • Review and update any outdated plugins or themes.
  • Implement Content Security Policy (CSP) to mitigate XSS attacks.
  • Monitor web application logs for suspicious activity.
  • Educate users about the risks of XSS attacks.
  • Consider Web Application Firewall (WAF) protection.
  • Regularly review and update software dependencies.

Evidence notes

The CVE record and NVD detail provide information on this vulnerability. The CVE was published on 2026-06-17 and last modified on 2026-06-17. The vulnerability was reported by [email protected].

Official resources

public