CVE-2026-3534
published 2026-03-11CVE-2026-3534: The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta…
PriorityP431medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.20%
9.9th percentile
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brainstormforce | astra | <= 4.12.3 | — |
| parse-community | parse-dashboard | >= 7.3.0-alpha.42 < 9.0.0-alpha.8 | 9.0.0-alpha.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9c4x-wwxm-pww8: The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post m
ghsa_unreviewed·2026-03-11
CVE-2026-3534 [MEDIUM] CWE-79 GHSA-9c4x-wwxm-pww8: The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post m
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
GHSA
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint
ghsa·2026-02-25
CVE-2026-27609 [HIGH] CWE-352 Parse Dashboard is Missing CSRF Protection for its Agent Endpoint
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint
### Impact
The AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session.
### Patches
The fix adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.
### Workarounds
Remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected.
### Resources
- GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc
- Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
No detection rules found.
No public exploits indexed.
https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/core/common-functions.php#L1629https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/core/common-functions.php#L1640https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/metabox/class-astra-meta-boxes.php#L1380https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/metabox/class-astra-meta-boxes.php#L1386https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=316958%40astra%2F4.12.4&old=312219%40astra%2F4.12.3https://www.wordfence.com/threat-intel/vulnerabilities/id/acf2906b-1ee5-4272-bf6d-36a02023f658?source=cve
2026-03-11
Published