Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11358

CVE-2026-11358: Orbit Fox WordPress Plugin XSS Vulnerability

CVE-2026-11358 is a stored cross-site scripting vulnerability in Orbit Fox WordPress plugin affecting versions up to 3.0.6. Attackers with admin access can inject malicious scripts. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-11358 Overview

CVE-2026-11358 is a Stored Cross-Site Scripting (XSS) vulnerability in the Orbit Fox WordPress plugin by ThemeIsle. The plugin, marketed as "Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More", is affected in all versions up to and including 3.0.6. The flaw arises from insufficient input sanitization and output escaping in the admin settings handled by the menu-icons module. Authenticated attackers with administrator-level permissions can inject arbitrary web scripts that execute when users visit injected pages. The vulnerability only affects WordPress multi-site installations and installations where the unfiltered_html capability has been disabled.

Critical Impact

An authenticated administrator on a multi-site WordPress instance can persist JavaScript payloads that execute against any visitor of the injected page, enabling session abuse and content tampering.

Affected Products

  • Orbit Fox by ThemeIsle (themeisle-companion) plugin versions up to and including 3.0.6
  • WordPress multi-site installations running the affected plugin
  • WordPress single-site installations where unfiltered_html has been disabled

Discovery Timeline

  • 2026-06-18 - CVE-2026-11358 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-11358

Vulnerability Analysis

The vulnerability is a stored Cross-Site Scripting issue classified under [CWE-79]. It exists within the menu-icons module of the themeisle-companion plugin, specifically in obfx_modules/menu-icons/init.php. The module accepts administrator-supplied settings values but fails to sanitize input on save and fails to escape output on render. Because the malicious payload is persisted in the WordPress database, it executes for any user who subsequently loads a page containing the injected menu icon configuration.

The issue is constrained to environments where high-privilege users do not already possess the unfiltered_html capability. On standard single-site WordPress, administrators have unfiltered_html by default and can legitimately store HTML and scripts. On multi-site networks, only Super Admins hold this capability, meaning site-level administrators become unauthorized actors in the XSS context.

Root Cause

The root cause is the absence of sanitization functions such as sanitize_text_field() on input and the absence of escaping functions such as esc_attr() or esc_html() on output within the menu-icons settings handlers referenced at lines 118 and 296 of init.php. The plugin trusts administrator input implicitly rather than enforcing capability-aware sanitization aligned with WordPress hardening guidance.

Attack Vector

Exploitation requires an authenticated session with administrator-level permissions on a multi-site network or an installation where unfiltered_html is disabled. The attacker submits a malicious payload through the Orbit Fox menu-icons admin settings. The payload is stored and later rendered without escaping, causing script execution in the browser of any user who loads the affected page. The high privilege requirement and the multi-site or hardened configuration prerequisite reduce the practical exposure of the flaw.

No verified public proof-of-concept exploit is associated with this CVE. The vulnerability is described in prose only; readers seeking source-level context can review the WordPress ThemeIsle Menu Icons Code at line 118 and the Wordfence Vulnerability Analysis.

Detection Methods for CVE-2026-11358

Indicators of Compromise

  • Unexpected <script>, onerror, onload, or javascript: strings stored within wp_options or wp_postmeta rows tied to the obfx_menu_icons or themeisle-companion keys.
  • Outbound requests from visitor browsers to attacker-controlled domains immediately after loading menu pages.
  • Administrator account modifications to menu-icons settings that do not correlate with planned site changes.

Detection Strategies

  • Inspect plugin settings values for HTML entities, encoded scripts, or external resource references that should not appear in icon configuration fields.
  • Compare current themeisle-companion option values against a known-good backup or staging environment to identify drift.
  • Review WordPress audit logs for update_option events targeting Orbit Fox keys performed by administrator accounts at unusual times.

Monitoring Recommendations

  • Enable a WordPress activity logging plugin to capture administrator setting changes and authentication events.
  • Forward web server access logs and WordPress audit events to a centralized data lake for correlation across sites in a multi-site network.
  • Alert on Content Security Policy (CSP) violation reports referencing inline script execution on administrative or menu-rendered pages.

How to Mitigate CVE-2026-11358

Immediate Actions Required

  • Update the Orbit Fox (themeisle-companion) plugin to a version newer than 3.0.6 once released by ThemeIsle.
  • Audit all administrator accounts on multi-site networks and remove any that are not strictly required.
  • Review and sanitize existing Orbit Fox menu-icons settings for unexpected HTML or script content.

Patch Information

The vendor changeset associated with the fix is tracked in the WordPress ThemeIsle Changeset. Apply the latest available release of the themeisle-companion plugin from the WordPress.org plugin directory. Confirm version reporting in the WordPress plugins screen after deployment across every site in a multi-site network.

Workarounds

  • Deactivate the Orbit Fox plugin on multi-site networks until the patched release is deployed.
  • Restrict administrator role assignment on multi-site networks to trusted personnel and require multi-factor authentication.
  • Implement a strict Content Security Policy that disallows inline scripts on front-end pages rendering menu icons.
  • Re-enable unfiltered_html only after weighing the trade-off against site security posture in single-site deployments.
bash
# Configuration example: update the themeisle-companion plugin via WP-CLI
wp plugin update themeisle-companion --network
wp plugin list --name=themeisle-companion --fields=name,status,version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne