Theme Options Z CVE-2025-25121
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Theme Options Z allows Stored XSS. This issue affects Theme Options Z: from n/a through 1.4.
AnalysisAI
Stored cross-site scripting in Theme Options Z WordPress plugin through version 1.4 allows remote attackers to inject malicious scripts that execute in victim browsers when authenticated users view affected pages. Despite the CVSS 7.1 rating suggesting network-accessible exploitation without authentication (PR:N), stored XSS vulnerabilities in WordPress plugins typically require at least contributor-level access to inject payloads, creating a discrepancy between the CVSS vector and realistic exploitation requirements. EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV or other threat intelligence sources.
Technical ContextAI
This vulnerability stems from improper input sanitization (CWE-79) in the Theme Options Z WordPress plugin, a theme configuration tool. Stored XSS occurs when user-supplied input is saved to the database without adequate validation or encoding, then later displayed to other users without proper output escaping. In WordPress plugin contexts, this typically affects administrative interfaces where options are configured and stored. The vulnerability allows attackers to inject JavaScript payloads that persist in the database and execute whenever victims view the compromised page. The changed scope (S:C) in the CVSS vector suggests the malicious script can access resources beyond the vulnerable plugin's security context, potentially affecting the broader WordPress installation or other plugins sharing the same origin.
Affected ProductsAI
WordPress plugin Theme Options Z versions from initial release through version 1.4 are confirmed vulnerable per NVD data. The vendor is NotFound, and the plugin provides theme configuration management for WordPress sites. No specific CPE identifier was provided in the available data. Patchstack references indicate the vulnerability was identified through their security research program. Organizations running WordPress installations with this plugin installed in the affected version range should prioritize assessment, particularly multi-author sites where contributor-level users have access to plugin configuration interfaces.
RemediationAI
Update Theme Options Z to a version newer than 1.4 if a patched release becomes available. Monitor the Patchstack vulnerability database at the provided references for vendor patch announcements, as the advisory links appear to contain reference errors pointing to an unrelated WP Spell Check plugin. Until a confirmed patch is released, restrict access to Theme Options Z configuration pages to only fully-trusted administrator accounts, removing contributor and editor access to plugin settings. Implement Content Security Policy headers with strict script-src directives to limit execution of injected scripts. Deploy a web application firewall with XSS detection rules to filter malicious payloads before they reach the WordPress database. Review existing theme options data for suspicious JavaScript content, particularly in text fields allowing HTML input. Note that disabling the plugin entirely may break theme functionality, so thoroughly test in staging before production deployment.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today