cleantalk
Vulnerabilities and Security Researches

Orbit Fox by ThemeIsle, CVE-2026-11358

CVE, Research URL

CVE-2026-11358

Home page URL

Security reports for Orbit Fox by ThemeIsle

Application

Orbit Fox by ThemeIsle

Published on
Jun 18, 2026
Research Description
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 3.0.7.
Status
vulnerable
Previous vulnerability researches
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (6d8910c719b2a132ec93828cd37e418b19cac960) , Jun 16, 2026
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (9b1e2230b7886edf3c051cec5a5c91d89e19bc13) , Jun 16, 2026
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (CVE-2022-4974) , Nov 15, 2024
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (CVE-2023-33999) , Jun 13, 2026
Divi Forms Styler – Gravity Forms, Fluent Forms & Contact Form 7 (e24566f9bdab14b4b44a1c0befc6d678dd11428c) , Jun 06, 2024
New vulnerability
SMS Alert Order Notifications – WooCommerce (CVE-2026-54803) , Jun 19, 2026
SMS Alert Order Notifications – WooCommerce (CVE-2026-54802) , Jun 19, 2026
Webhook Automator & Form Integration to Automate 200+ Platforms – Bit Integrations (CVE-2026-11989) , Jun 19, 2026
Appointment Booking Calendar (CVE-2026-12111) , Jun 19, 2026
Melhor Envio (CVE-2026-54804) , Jun 19, 2026