CVE-2026-3534

Name of the Vulnerable Software and Affected Versions Astra theme for WordPress versions through 4.12.3

Description The Astra theme for WordPress is susceptible to Stored Cross-Site Scripting through the ast-page-background-meta and ast-content-background-meta post meta fields. This is caused by inadequate input sanitization during meta registration and a lack of output escaping within the astra get responsive background obj() function. Specifically, the function fails to properly escape four CSS-context sub-properties: background-color, background-image, overlay-color, and overlay-gradient. Authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page. The vulnerable function is astra get responsive background obj().

Recommendations Update the Astra theme to a version beyond 4.12.3.