Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18.
AnalysisAI
Reflected cross-site scripting in Zootemplate Cerato WordPress theme versions through 2.2.18 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers through crafted malicious links. Successful exploitation requires user interaction (victim must click attacker-controlled URL). Attack enables session hijacking, credential theft, and defacement within changed security context. No public exploit identified at time of analysis.
Technical ContextAI
Reflected XSS (CWE-79) stems from improper neutralization of user-supplied input before rendering in web pages. Attacker-controlled parameters are reflected in HTTP responses without sanitization or encoding. CVSS vector PR:N confirms unauthenticated attack surface; S:C indicates scope change enabling context escalation beyond vulnerable component.
RemediationAI
No vendor-released patch identified at time of analysis. Immediately deactivate Cerato theme and migrate to actively maintained alternative with vendor security support. If business continuity requires temporary continued use, implement web application firewall rules to sanitize all user-controllable parameters in HTTP requests, enforce Content Security Policy headers restricting inline script execution, and educate users against clicking untrusted links. Monitor Patchstack advisory for vendor patch announcements: https://patchstack.com/database/wordpress/theme/cerato/vulnerability/wordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Verify theme developer security contact channels for direct patch notification.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209404
GHSA-whm2-488f-jvqp