Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requiring a victim click; scope changes to the browser and impacts are limited to session-level confidentiality, integrity, and availability.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Folo allows Reflected XSS.
This issue affects Themify Folo: from n/a through 1.9.6.
AnalysisAI
Reflected cross-site scripting in the Themify Folo WordPress theme (versions up to and including 1.9.6) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw is reported by Patchstack with a CVSS 3.1 base score of 7.1 driven by scope change and user interaction; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Themify Folo is a commercial WordPress theme distributed by Themify, identified by CPE cpe:2.3:a:themify:themify_folo. The root cause is CWE-79, Improper Neutralization of Input During Web Page Generation, meaning one or more request parameters rendered by the theme are echoed back into an HTML response without sufficient output encoding or input sanitization. Because the payload is delivered in the request and reflected in the response, attacker-supplied script executes in the origin of the WordPress site, giving access to cookies, the DOM, and any logged-in session - including administrator sessions when an admin is lured to the crafted URL.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory documents the flaw through version 1.9.6 but does not cite a fixed version in the supplied data, so administrators should monitor https://patchstack.com/database/wordpress/theme/folo/vulnerability/wordpress-themify-folo-theme-1-9-6-reflected-cross-site-scripting-xss-vulnerability and the Themify vendor channel for an updated Folo release and upgrade as soon as it is published. In the interim, deploy a WordPress-aware WAF rule (Patchstack, Wordfence, or equivalent) to filter reflected XSS payloads against the theme's request parameters, set a strict Content-Security-Policy header that disallows inline scripts to blunt payload execution (note this may break theme features that rely on inline JS and should be tested), restrict /wp-admin access by IP allowlist so administrators are less reachable by phishing links, and consider temporarily switching to another theme if the site has high-value admin accounts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210238