CVE-2011-3858

zespia/pixiv_custom < 2.1.6 - Cross-Site Scripting via s Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2011-3858. PoCs published by SiteWatch.

AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in the Pixiv Custom theme for WordPress, where user-supplied input via the 'cpage' parameter is not properly sanitized. This allows arbitrary script execution in the context of the affected site.

Description

Cross-site scripting (XSS) vulnerability in the Pixiv Custom theme before 2.1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED
by SiteWatch · textwebappsphp
https://www.exploit-db.com/exploits/36185

The provided text describes a cross-site scripting (XSS) vulnerability in the Pixiv Custom theme for WordPress, where user-supplied input via the 'cpage' parameter is not properly sanitized. This allows arbitrary script execution in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Pixiv Custom theme for WordPress 2.1.5
No auth needed
Prerequisites: A vulnerable version of the Pixiv Custom theme for WordPress · User interaction to visit a crafted URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, URL Repurposed x_refsource_misc
https://sitewat.ch/en/Advisories/16

Scores

EPSS 0.0379
EPSS Percentile 88.6%

Details

CWE
CWE-79
Status published
Products (31)
zespia/pixiv_custom 1.0
zespia/pixiv_custom 1.0.1
zespia/pixiv_custom 1.0.2
zespia/pixiv_custom 1.1
zespia/pixiv_custom 1.1.1
zespia/pixiv_custom 1.1.2
zespia/pixiv_custom 1.1.3
zespia/pixiv_custom 1.1.4
zespia/pixiv_custom 1.1.5
zespia/pixiv_custom 1.1.6
... and 21 more
Published Sep 28, 2011
Tracked Since Feb 18, 2026