Domain Theme CVE-2025-28897
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Steveorevo Domain Theme allows Stored XSS. This issue affects Domain Theme: from n/a through 1.3.
AnalysisAI
CSRF in Domain Theme WordPress plugin (versions ≤1.3) allows unauthenticated attackers to inject persistent malicious scripts via tricked administrator actions. The chained vulnerability combines CSRF token absence with inadequate input sanitization, enabling stored XSS payload injection when an admin processes a forged request. EPSS score of 0.05% (14th percentile) indicates low widespread exploitation likelihood, with no active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Technical ContextAI
This vulnerability affects Domain Theme, a WordPress plugin by Steveorevo. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin fails to implement anti-CSRF tokens on state-changing administrative endpoints. The CSRF weakness is chained with stored XSS (CWE-79), indicating that attacker-controlled input accepted via CSRF bypasses HTML sanitization and persists in the WordPress database. When rendered to other users (especially administrators), the stored script executes in their browser context. The CVSS scope change (S:C) from Unchanged to Changed confirms the XSS payload escapes the vulnerable plugin's security boundary to affect other WordPress components or user sessions. This dual-vulnerability pattern is common in WordPress plugins lacking both nonce verification and output encoding.
Affected ProductsAI
WordPress Domain Theme plugin by Steveorevo, versions 1.3 and earlier, are vulnerable. The Patchstack advisory (https://patchstack.com/database/wordpress/plugin/domain-theme/vulnerability/wordpress-domain-theme-plugin-1-3-csrf-to-stored-xss-vulnerability) confirms version 1.3 as the highest tested vulnerable version, with no lower bound specified (indicating all historical versions may be affected). No CPE identifier is available in the provided data. Organizations should verify installed versions via WordPress admin dashboard (Plugins → Installed Plugins) and check the plugin's WordPress.org repository for update status.
RemediationAI
Upgrade Domain Theme plugin to a patched version if available by checking the WordPress plugin repository or contacting Steveorevo directly. As of this analysis, no specific fixed version number has been independently confirmed in the provided data - administrators must consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/domain-theme/vulnerability/wordpress-domain-theme-plugin-1-3-csrf-to-stored-xss-vulnerability) or the plugin's changelog for update availability. If no patch exists, implement these compensating controls: (1) Disable the Domain Theme plugin if not operationally required - this eliminates the attack surface but may break theme-dependent site functionality; (2) Restrict WordPress admin dashboard access to trusted IP addresses via .htaccess or firewall rules, reducing CSRF vector viability but hindering remote administration; (3) Deploy a Web Application Firewall (WAF) with virtual patching rules to block common XSS payloads in POST/GET parameters targeting the plugin's endpoints, though this may cause false positives on legitimate admin input; (4) Train administrators to never click external links while logged into WordPress and to verify CSRF tokens manually (not practical for non-technical users). Monitor WordPress audit logs for unexpected administrative actions that could indicate successful CSRF exploitation.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today