WeMusic WordPress Theme CVE-2025-53585
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme WeMusic noo-wemusic allows Reflected XSS.This issue affects WeMusic: from n/a through <= 1.9.1.
AnalysisAI
Reflected cross-site scripting (XSS) in the WeMusic WordPress theme versions up to 1.9.1 allows remote attackers to execute arbitrary JavaScript in victims' browsers when they visit a specially crafted URL. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering such as phishing emails or malicious links. With EPSS exploitation probability of only 0.07% (20th percentile) and no CISA KEV listing, this represents a moderate theoretical risk but limited observed exploitation activity. Patchstack's reporting suggests responsible disclosure, though patch availability has not been independently confirmed.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the NooTheme WeMusic WordPress theme. Reflected XSS occurs when user-supplied data is incorporated into HTTP responses without proper sanitization or encoding, allowing attackers to inject malicious scripts that execute in the context of the vulnerable site. The S:C (Scope Changed) CVSS metric indicates the vulnerability can affect resources beyond the theme itself - in this case, the WordPress site and potentially other same-origin content. WordPress themes commonly introduce XSS through improper handling of URL parameters, search queries, or form inputs that are echoed back to users. The 'Improper Neutralization of Input During Web Page Generation' designation indicates the theme fails to apply output encoding functions like esc_html() or wp_kses() that WordPress core provides for XSS prevention.
Affected ProductsAI
The vulnerability affects the WeMusic WordPress theme by NooTheme, specifically all versions from the initial release through version 1.9.1. This is a commercial premium theme available on ThemeForest, not distributed through the official WordPress.org theme repository. Organizations can verify their installation by checking the theme version in WordPress admin under Appearance > Themes. The Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-cross-site-scripting-xss-vulnerability provides additional technical details, though no CPE identifier has been assigned to enable automated vulnerability scanning.
RemediationAI
Contact NooTheme directly through their support channels to obtain the latest version of the WeMusic theme and confirm whether a patched release addressing CVE-2025-53585 is available, as no specific fix version has been independently verified at time of analysis. If an updated theme version is confirmed, upgrade immediately through the WordPress admin interface or by replacing theme files via FTP/SFTP, ensuring to back up any theme customizations first. As an interim mitigation if patches are unavailable, implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in URL parameters and HTTP headers accessing the theme - WordPress security plugins like Wordfence or Sucuri can provide this capability, though this introduces performance overhead and may generate false positives requiring tuning. Additionally, configure Content Security Policy (CSP) headers to restrict inline script execution and limit script sources to trusted domains, which reduces XSS impact but may break legitimate theme functionality requiring careful testing. Consider temporarily switching to an alternative WordPress theme if the WeMusic theme is not critical to business operations and vendor response is delayed. Monitor the Patchstack reference URL for updates on vendor patch status and validated remediation steps.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today