Astra theme for WordPress: Injected scripts in pages via certain post meta fields

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.4

Astra theme for WordPress: Injected scripts in pages via certain post meta fields

CVE-2026-3534

Summary

The Astra theme for WordPress contains a security weakness that allows attackers to inject malicious scripts into pages. This can happen if an authenticated user with limited access edits specific post meta fields. To protect your website, update to a newer version of the Astra theme.

Original title

Original description

The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

nvd CVSS3.1 6.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026