Skip to main content

Kalium WordPress Theme CVE-2025-53349

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:49 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Laborator Kalium kalium allows Reflected XSS.This issue affects Kalium: from n/a through <= 3.18.3.

AnalysisAI

Reflected cross-site scripting (XSS) in Kalium WordPress theme versions through 3.18.3 enables remote attackers to inject malicious scripts into web pages viewed by victims. Exploitation requires user interaction (clicking a crafted link) but no authentication, with changed scope indicating potential session hijacking or actions on behalf of victims across the theme's context. EPSS score of 0.05% (17th percentile) suggests low observed exploitation activity. No active exploitation confirmed via CISA KEV or public exploit code at time of analysis.

Technical ContextAI

This vulnerability exploits a reflected cross-site scripting weakness (CWE-79) in the Kalium WordPress theme by Laborator. Reflected XSS occurs when user-supplied input is immediately returned in HTTP responses without proper sanitization or encoding, allowing attackers to inject arbitrary JavaScript. The CVSS vector indicates Changed Scope (S:C), meaning the vulnerability affects resources beyond the vulnerable component itself - in WordPress themes, this typically involves injecting scripts that execute in the victim's browser session with access to WordPress cookies, CSRF tokens, and administrative functions. The Kalium theme is a commercial WordPress theme marketed for creative portfolios and agencies, suggesting a potentially broad install base among business websites. The vulnerability was reported by Patchstack's audit team, a commercial WordPress security platform specializing in theme and plugin vulnerabilities.

Affected ProductsAI

The vulnerability affects Kalium WordPress theme by Laborator, versions from earliest available release through version 3.18.3. The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/kalium/vulnerability/wordpress-kalium-theme-3-18-3-cross-site-scripting-xss-vulnerability) provides the primary vendor reference. Kalium is a premium commercial WordPress theme available through ThemeForest, requiring licensed installations. Specific CPE designation not available in provided data, indicating potential gap in automated vulnerability scanning coverage for commercial WordPress themes.

RemediationAI

Upgrade Kalium theme to the latest patched version available from Laborator or ThemeForest. Based on the vulnerability affecting versions through 3.18.3, a fix version higher than 3.18.3 should be available or forthcoming - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kalium/vulnerability/wordpress-kalium-theme-3-18-3-cross-site-scripting-xss-vulnerability for exact patched version confirmation. If immediate patching is not feasible, implement compensating controls: deploy web application firewall (WAF) rules to filter common XSS payloads in HTTP parameters (trade-off: potential false positives blocking legitimate special characters); enable Content Security Policy (CSP) headers to restrict inline script execution (trade-off: may break theme functionality relying on inline JavaScript); restrict WordPress administrative access to trusted networks via IP allowlisting (trade-off: reduces mobility for remote administrators). Note that compensating controls mitigate but do not eliminate XSS risk, as determined attackers can bypass WAF filters and CSP with advanced techniques. Theme replacement should be considered if vendor responsiveness is inadequate.

Share

CVE-2025-53349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy