Kalium WordPress Theme CVE-2025-53349
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Laborator Kalium kalium allows Reflected XSS.This issue affects Kalium: from n/a through <= 3.18.3.
AnalysisAI
Reflected cross-site scripting (XSS) in Kalium WordPress theme versions through 3.18.3 enables remote attackers to inject malicious scripts into web pages viewed by victims. Exploitation requires user interaction (clicking a crafted link) but no authentication, with changed scope indicating potential session hijacking or actions on behalf of victims across the theme's context. EPSS score of 0.05% (17th percentile) suggests low observed exploitation activity. No active exploitation confirmed via CISA KEV or public exploit code at time of analysis.
Technical ContextAI
This vulnerability exploits a reflected cross-site scripting weakness (CWE-79) in the Kalium WordPress theme by Laborator. Reflected XSS occurs when user-supplied input is immediately returned in HTTP responses without proper sanitization or encoding, allowing attackers to inject arbitrary JavaScript. The CVSS vector indicates Changed Scope (S:C), meaning the vulnerability affects resources beyond the vulnerable component itself - in WordPress themes, this typically involves injecting scripts that execute in the victim's browser session with access to WordPress cookies, CSRF tokens, and administrative functions. The Kalium theme is a commercial WordPress theme marketed for creative portfolios and agencies, suggesting a potentially broad install base among business websites. The vulnerability was reported by Patchstack's audit team, a commercial WordPress security platform specializing in theme and plugin vulnerabilities.
Affected ProductsAI
The vulnerability affects Kalium WordPress theme by Laborator, versions from earliest available release through version 3.18.3. The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/kalium/vulnerability/wordpress-kalium-theme-3-18-3-cross-site-scripting-xss-vulnerability) provides the primary vendor reference. Kalium is a premium commercial WordPress theme available through ThemeForest, requiring licensed installations. Specific CPE designation not available in provided data, indicating potential gap in automated vulnerability scanning coverage for commercial WordPress themes.
RemediationAI
Upgrade Kalium theme to the latest patched version available from Laborator or ThemeForest. Based on the vulnerability affecting versions through 3.18.3, a fix version higher than 3.18.3 should be available or forthcoming - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kalium/vulnerability/wordpress-kalium-theme-3-18-3-cross-site-scripting-xss-vulnerability for exact patched version confirmation. If immediate patching is not feasible, implement compensating controls: deploy web application firewall (WAF) rules to filter common XSS payloads in HTTP parameters (trade-off: potential false positives blocking legitimate special characters); enable Content Security Policy (CSP) headers to restrict inline script execution (trade-off: may break theme functionality relying on inline JavaScript); restrict WordPress administrative access to trusted networks via IP allowlisting (trade-off: reduces mobility for remote administrators). Note that compensating controls mitigate but do not eliminate XSS risk, as determined attackers can bypass WAF filters and CSP with advanced techniques. Theme replacement should be considered if vendor responsiveness is inadequate.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today