CVE-2026-11358 themeisle CVE debrief

Who should care

Administrators of WordPress multi-site installations or installations with unfiltered_html disabled who have the Orbit Fox plugin installed should be aware of this vulnerability. Additionally, security teams and WordPress administrators responsible for patching vulnerabilities should prioritize updating the Orbit Fox plugin.

Technical summary

The Orbit Fox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts. The vulnerability is limited to multi-site installations and installations where unfiltered_html has been disabled. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, indicating a Medium severity.

Defensive priority

Medium

Recommended defensive actions

• Update the Orbit Fox plugin to the latest version
• Verify that unfiltered_html is not enabled on affected installations
• Restrict administrator-level permissions to trusted users
• Monitor for suspicious activity on affected installations
• Implement a Web Application Firewall (WAF) to detect and prevent XSS attacks
• Regularly review and update plugins and themes on WordPress installations

Evidence notes

The vulnerability was reported by [email protected] and is documented in the Wordfence threat intelligence database. The CVE record and NVD detail pages provide additional information on the vulnerability.

Official resources