Skip to main content

CVE-2025-62136

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thinkupthemes Melos melos allows Stored XSS.This issue affects Melos: from n/a through <= 1.6.0.

AnalysisAI

Stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme through version 1.6.0 allows attackers to inject and execute arbitrary JavaScript code that persists in the application and executes in the browsers of other users. The vulnerability affects all versions up to and including 1.6.0, and while no CVSS vector or EPSS exploitation probability is formally assigned, the low EPSS score (0.04th percentile) suggests minimal real-world exploitation likelihood despite the stored nature of the flaw.

Technical ContextAI

This is a Stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Melos WordPress theme, a web application component rendered server-side and served to users' browsers. Stored XSS occurs when user input is accepted, stored in a backend database or file system without proper sanitization or encoding, and then output to the page without context-appropriate escaping. Unlike reflected XSS, stored variants persist and affect multiple users. The vulnerability likely exists in a form input, settings field, or content area within the theme that fails to sanitize HTML/JavaScript characters or properly apply WordPress escaping functions (such as wp_kses_post(), esc_html(), or esc_attr()). The CPE for affected products is rooted in the thinkupthemes Melos WordPress theme product line.

Affected ProductsAI

The vulnerability affects the Melos WordPress theme (CPE references thinkupthemes/melos) in all versions from the initial release through version 1.6.0 inclusive. The Patchstack database entry indicates the affected version range as 'from n/a through <= 1.6.0', confirming that any installation of Melos at or below version 1.6.0 is potentially vulnerable. The theme is distributed via the WordPress.org repository and third-party theme marketplaces. Detailed vulnerability information and advisory can be found at the Patchstack database: https://patchstack.com/database/Wordpress/Theme/melos/vulnerability/wordpress-melos-theme-1-6-0-cross-site-scripting-xss-vulnerability

RemediationAI

Update the Melos WordPress theme to a version later than 1.6.0 immediately through the WordPress admin dashboard (Appearance > Themes > Updates) or by downloading the latest version from WordPress.org and uploading via SFTP/file manager. If an update beyond 1.6.0 is not yet available, contact thinkupthemes support or monitor the Patchstack database and WordPress.org for patched releases. As a temporary workaround, restrict editing permissions to trusted administrators and contributors only, disable user-generated content features within the theme if available, and implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads (script tags, event handlers). Review site audit logs for evidence of injected content and remove any suspicious data. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/melos/vulnerability/wordpress-melos-theme-1-6-0-cross-site-scripting-xss-vulnerability) for theme-specific remediation guidance.

Share

CVE-2025-62136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy