GCVE - cpe:2.3:a:brainstormforce:astra:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:brainstormforce:astra:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Brainstormforce (`cbcfaca7-5435-578c-aa63-084725e31f3b`)
Product	Astra (`279edc24-181d-5492-a195-0a4ae58712c7`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/brainstormforce/astra`	purl2cpe	2026-06-01 10:16:46.033150

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-3534`	vulnerable	2026-06-03 15:23:32.897484	Astra <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta MEDIUM (6.4) The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2026-03-11T06:45:31.218Z Updated: 2026-04-08T17:14:59.550Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/acf2906b-1ee5-4272-bf6d-36a02023f658?source=cve https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/core/common-functions.php#L1640 https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/core/common-functions.php#L1629 https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/metabox/class-astra-meta-boxes.php#L1386 https://themes.trac.wordpress.org/browser/astra/4.12.3/inc/metabox/class-astra-meta-boxes.php#L1380	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-2347`	vulnerable	2026-06-03 14:55:29.024138	Astra <= 4.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Display Name MEDIUM (6.4) The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2024-04-09T18:59:31.932Z Updated: 2026-04-08T17:31:38.087Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/ed914e67-4cf7-49b1-96be-ed8c604e6dce?source=cve https://themes.trac.wordpress.org/changeset/221725/astra	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.