Platform
wordpress
Component
gaea
Fixed in
3.8
CVE-2026-32518 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in imithemes Gaea, a WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability affects versions of Gaea prior to 3.8 and has been assigned a CVSS score of 7.1 (HIGH). A fix is available in version 3.8.
Successful exploitation of CVE-2026-32518 allows an attacker to inject arbitrary JavaScript code into web pages served by a Gaea-powered WordPress site. This can be achieved by crafting malicious URLs containing XSS payloads. Upon visiting these URLs, users' browsers will execute the attacker's script, potentially leading to the theft of sensitive information such as cookies and session tokens. An attacker could also use this vulnerability to redirect users to phishing sites or deface the website. The impact is particularly severe if the website handles sensitive user data or is used for critical business operations.
CVE-2026-32518 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered medium, given the ease of XSS exploitation and the potential impact.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32518 is to upgrade the imithemes Gaea plugin to version 3.8 or later, which contains the fix for this vulnerability. If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data to reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly scan your WordPress site for vulnerabilities using a reputable security plugin.
Update to version 3.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32518 is a Reflected XSS vulnerability in the imithemes Gaea WordPress plugin, allowing attackers to inject malicious scripts into web pages.
You are affected if you are using imithemes Gaea versions prior to 3.8. Check your plugin version and upgrade if necessary.
Upgrade imithemes Gaea to version 3.8 or later to resolve the vulnerability. Consider input validation and WAF rules as interim measures.
There is no confirmed active exploitation of CVE-2026-32518 at this time, but the potential for exploitation exists.
Refer to the imithemes website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.