{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "4.4.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "b5f6ca5af6e29fe5df7a65d512b177fa465cfa2e"
            }
          ],
          "repo": "https://github.com/wordpress/wordpress-develop",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.",
  "id": "CVE-2016-1564",
  "modified": "2026-04-01T23:08:52.703958540Z",
  "published": "2016-05-22T01:59:13.213Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/08/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1034622"
    },
    {
      "type": "WEB",
      "url": "https://core.trac.wordpress.org/changeset/36185"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/8358"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.debian.org/security/2016/dsa-3444"
    },
    {
      "type": "FIX",
      "url": "https://codex.wordpress.org/Version_4.4.1"
    },
    {
      "type": "FIX",
      "url": "https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/"
    },
    {
      "type": "EVIDENCE",
      "url": "http://twitter.com/brutelogic/statuses/685105483397619713"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}