Qubely Themeum plugin allows hackers to inject malicious code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Qubely Themeum plugin allows hackers to inject malicious code

CVE-2026-39638

Summary

If an attacker injects malicious code into Qubely, they can steal sensitive information or take control of your website. This is a risk because it allows unauthorized access to your site. Update to Qubely version 1.8.15 or later to fix this issue.

Original title

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.

Original description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://patchstack.com/database/Wordpress/Plugin/qubely/vulnerability/wordpress-...

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026