プラットフォーム
wordpress
コンポーネント
molla
修正版
1.5.20
CVE-2026-32529 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the Molla WordPress theme. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account takeover or data theft. The vulnerability impacts versions of Molla prior to 1.5.19, and a patch has been released to address the issue.
An attacker exploiting this XSS vulnerability can inject arbitrary JavaScript code into a user's browser when they visit a crafted URL. This malicious script can then steal session cookies, redirect users to phishing sites, or deface the website. The impact is particularly severe because WordPress sites often handle sensitive user data, such as login credentials and personal information. Successful exploitation could lead to widespread compromise of user accounts and data breaches, especially if the theme is widely deployed.
CVE-2026-32529 was publicly disclosed on 2026-03-25. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploiting reflected XSS vulnerabilities means it is likely to be targeted. No KEV listing exists as of this date. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Websites using the Molla WordPress theme, particularly those with user input fields or forms, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromised Molla installation on one site could potentially impact others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/html/wp-content/themes/molla/*• generic web:
curl -I https://example.com/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list --status=inactive | grep molladisclosure
エクスプロイト状況
EPSS
0.04% (11% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2026-32529 is to immediately update the Molla WordPress theme to version 1.5.19 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the theme to reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through a vulnerable parameter and confirming that it is properly sanitized.
バージョン 1.5.19、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-32529 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting Molla WordPress themes before version 1.5.19, allowing attackers to inject malicious scripts.
You are affected if you are using Molla WordPress theme versions prior to 1.5.19. Check your theme version and update immediately if necessary.
Upgrade the Molla WordPress theme to version 1.5.19 or later. Consider input validation and WAF rules as additional protection.
While no active exploitation campaigns have been confirmed, the vulnerability is likely to be targeted due to its ease of exploitation.
Refer to the official Molla theme documentation and WordPress plugin repository for updates and security advisories related to CVE-2026-32529.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。