Skip to main content

WeMusic WordPress Theme CVE-2025-53585

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 00:47 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme WeMusic noo-wemusic allows Reflected XSS.This issue affects WeMusic: from n/a through <= 1.9.1.

AnalysisAI

Reflected cross-site scripting (XSS) in the WeMusic WordPress theme versions up to 1.9.1 allows remote attackers to execute arbitrary JavaScript in victims' browsers when they visit a specially crafted URL. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering such as phishing emails or malicious links. With EPSS exploitation probability of only 0.07% (20th percentile) and no CISA KEV listing, this represents a moderate theoretical risk but limited observed exploitation activity. Patchstack's reporting suggests responsible disclosure, though patch availability has not been independently confirmed.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the NooTheme WeMusic WordPress theme. Reflected XSS occurs when user-supplied data is incorporated into HTTP responses without proper sanitization or encoding, allowing attackers to inject malicious scripts that execute in the context of the vulnerable site. The S:C (Scope Changed) CVSS metric indicates the vulnerability can affect resources beyond the theme itself - in this case, the WordPress site and potentially other same-origin content. WordPress themes commonly introduce XSS through improper handling of URL parameters, search queries, or form inputs that are echoed back to users. The 'Improper Neutralization of Input During Web Page Generation' designation indicates the theme fails to apply output encoding functions like esc_html() or wp_kses() that WordPress core provides for XSS prevention.

Affected ProductsAI

The vulnerability affects the WeMusic WordPress theme by NooTheme, specifically all versions from the initial release through version 1.9.1. This is a commercial premium theme available on ThemeForest, not distributed through the official WordPress.org theme repository. Organizations can verify their installation by checking the theme version in WordPress admin under Appearance > Themes. The Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-cross-site-scripting-xss-vulnerability provides additional technical details, though no CPE identifier has been assigned to enable automated vulnerability scanning.

RemediationAI

Contact NooTheme directly through their support channels to obtain the latest version of the WeMusic theme and confirm whether a patched release addressing CVE-2025-53585 is available, as no specific fix version has been independently verified at time of analysis. If an updated theme version is confirmed, upgrade immediately through the WordPress admin interface or by replacing theme files via FTP/SFTP, ensuring to back up any theme customizations first. As an interim mitigation if patches are unavailable, implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in URL parameters and HTTP headers accessing the theme - WordPress security plugins like Wordfence or Sucuri can provide this capability, though this introduces performance overhead and may generate false positives requiring tuning. Additionally, configure Content Security Policy (CSP) headers to restrict inline script execution and limit script sources to trusted domains, which reduces XSS impact but may break legitimate theme functionality requiring careful testing. Consider temporarily switching to an alternative WordPress theme if the WeMusic theme is not critical to business operations and vendor response is delayed. Monitor the Patchstack reference URL for updates on vendor patch status and validated remediation steps.

Share

CVE-2025-53585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy