Skip to main content

Themify Folo CVE-2025-31013

| EUVDEUVD-2025-210238 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication but requiring a victim click; scope changes to the browser and impacts are limited to session-level confidentiality, integrity, and availability.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 13:16 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Folo allows Reflected XSS.

This issue affects Themify Folo: from n/a through 1.9.6.

AnalysisAI

Reflected cross-site scripting in the Themify Folo WordPress theme (versions up to and including 1.9.6) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw is reported by Patchstack with a CVSS 3.1 base score of 7.1 driven by scope change and user interaction; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Themify Folo is a commercial WordPress theme distributed by Themify, identified by CPE cpe:2.3:a:themify:themify_folo. The root cause is CWE-79, Improper Neutralization of Input During Web Page Generation, meaning one or more request parameters rendered by the theme are echoed back into an HTML response without sufficient output encoding or input sanitization. Because the payload is delivered in the request and reflected in the response, attacker-supplied script executes in the origin of the WordPress site, giving access to cookies, the DOM, and any logged-in session - including administrator sessions when an admin is lured to the crafted URL.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory documents the flaw through version 1.9.6 but does not cite a fixed version in the supplied data, so administrators should monitor https://patchstack.com/database/wordpress/theme/folo/vulnerability/wordpress-themify-folo-theme-1-9-6-reflected-cross-site-scripting-xss-vulnerability and the Themify vendor channel for an updated Folo release and upgrade as soon as it is published. In the interim, deploy a WordPress-aware WAF rule (Patchstack, Wordfence, or equivalent) to filter reflected XSS payloads against the theme's request parameters, set a strict Content-Security-Policy header that disallows inline scripts to blunt payload execution (note this may break theme features that rely on inline JS and should be tested), restrict /wp-admin access by IP allowlist so administrators are less reachable by phishing links, and consider temporarily switching to another theme if the site has high-value admin accounts.

Share

CVE-2025-31013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy