{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39638", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:43.491Z", "datePublished": "2026-04-08T08:30:31.510Z", "dateUpdated": "2026-04-08T08:30:31.510Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "qubely", "product": "Qubely", "vendor": "Themeum", "versions": [{"lessThanOrEqual": "1.8.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:35.888Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.<p>This issue affects Qubely: from n/a through <= 1.8.14.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:31.510Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Qubely plugin <= 1.8.14 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14."}], "id": "CVE-2026-39638", "lastModified": "2026-04-08T09:16:34.540", "metrics": {}, "published": "2026-04-08T09:16:34.540", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.8.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Qubely", "source": "cna", "vendor": "Themeum"}, "product": "qubely", "vendor": "themeum"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:10:02.793410+00:00", "value": {"mitigation_remediation": ["Update the Qubely plugin to the latest released version (v1.8.15 or newer).", "If an immediate update is not possible, disable the plugin or remove it entirely from the site.", "Restrict editor and contributor roles from creating content that is processed by the plugin until a patch is applied.", "Review and sanitize any user\u2011generated content before rendering to mitigate potential XSS risks."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is Themeum's Qubely plugin for WordPress. Versions up to and including 1.8.14 are vulnerable; all later versions are presumed fixed.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation that allows an attacker to store malicious JavaScript in the WordPress site through the Qubely plugin. An attacker could inject code that is executed in the browser of any visitor, potentially leading to credential theft, session hijacking, defacement or execution of further malicious payloads. This is a CWE\u201179: Improper Neutralization of Input During Web Page Generation defect.", "risk_and_exploitability": "The attack vector is likely a stored XSS attack executed via the plugin\u2019s content management interface, which may require authenticated access with content editing rights. While the CVSS score is not provided and EPSS is unavailable, the presence of stored XSS provides a high potential for widespread impact. The vulnerability is not listed in CISA\u2019s KEV catalog, but it remains exploitable in any site still running a vulnerable plugin version."}}}}, "created": "2026-04-08T19:29:23.647162+00:00", "updated": "2026-04-08T19:41:37.055987+00:00", "vendors": ["themeum", "themeum$PRODUCT$qubely", "wordpress", "wordpress$PRODUCT$wordpress"]}