CVE-2025-62136
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thinkupthemes Melos melos allows Stored XSS.This issue affects Melos: from n/a through <= 1.6.0.
Analysis
Stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme through version 1.6.0 allows attackers to inject and execute arbitrary JavaScript code that persists in the application and executes in the browsers of other users. The vulnerability affects all versions up to and including 1.6.0, and while no CVSS vector or EPSS exploitation probability is formally assigned, the low EPSS score (0.04th percentile) suggests minimal real-world exploitation likelihood despite the stored nature of the flaw.
Technical Context
This is a Stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Melos WordPress theme, a web application component rendered server-side and served to users' browsers. Stored XSS occurs when user input is accepted, stored in a backend database or file system without proper sanitization or encoding, and then output to the page without context-appropriate escaping. Unlike reflected XSS, stored variants persist and affect multiple users. The vulnerability likely exists in a form input, settings field, or content area within the theme that fails to sanitize HTML/JavaScript characters or properly apply WordPress escaping functions (such as wp_kses_post(), esc_html(), or esc_attr()). The CPE for affected products is rooted in the thinkupthemes Melos WordPress theme product line.
Affected Products
The vulnerability affects the Melos WordPress theme (CPE references thinkupthemes/melos) in all versions from the initial release through version 1.6.0 inclusive. The Patchstack database entry indicates the affected version range as 'from n/a through <= 1.6.0', confirming that any installation of Melos at or below version 1.6.0 is potentially vulnerable. The theme is distributed via the WordPress.org repository and third-party theme marketplaces. Detailed vulnerability information and advisory can be found at the Patchstack database: https://patchstack.com/database/Wordpress/Theme/melos/vulnerability/wordpress-melos-theme-1-6-0-cross-site-scripting-xss-vulnerability
Remediation
Update the Melos WordPress theme to a version later than 1.6.0 immediately through the WordPress admin dashboard (Appearance > Themes > Updates) or by downloading the latest version from WordPress.org and uploading via SFTP/file manager. If an update beyond 1.6.0 is not yet available, contact thinkupthemes support or monitor the Patchstack database and WordPress.org for patched releases. As a temporary workaround, restrict editing permissions to trusted administrators and contributors only, disable user-generated content features within the theme if available, and implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads (script tags, event handlers). Review site audit logs for evidence of injected content and remove any suspicious data. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/melos/vulnerability/wordpress-melos-theme-1-6-0-cross-site-scripting-xss-vulnerability) for theme-specific remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today