CVE-2026-5077

Name of the Vulnerable Software and Affected Versions Total theme for WordPress versions prior to 2.2.2

Description Stored Cross-Site Scripting is possible via post titles due to insufficient output escaping when rendering the the title() function inside HTML attribute context in the home blog section template. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute when a user accesses an injected page, provided the malicious post is published and displayed with a featured image in the Home Page blog section.

Recommendations Update to a version later than 2.2.1.