CVE-2025-62137

2025-12-31 [email protected]
XSS Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shuttlethemes Shuttle shuttle allows Stored XSS.This issue affects Shuttle: from n/a through <= 1.5.0.

AnalysisAI

Stored cross-site scripting (XSS) in Shuttle WordPress theme through version 1.5.0 allows authenticated users to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the moderate attack surface typical of stored XSS flaws. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

This is a classic input validation failure (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Shuttle WordPress theme. The theme fails to properly sanitize or escape user-supplied input before rendering it in generated web pages, allowing attackers to embed arbitrary JavaScript code. Stored XSS differs from reflected XSS in that the malicious payload is persisted in the application's data store (database or theme settings), making it execute every time the affected content is loaded-a higher-impact variant. WordPress themes handle theme customization options, widget content, and user-generated data; improper escaping at output time or sanitization at input time in any of these areas creates this vulnerability class.

Affected ProductsAI

The Shuttle WordPress theme is affected in all versions from the initial release through version 1.5.0. The vulnerability is reported by Patchstack and tracked in their WordPress theme vulnerability database. Affected administrators should verify their installed version via the WordPress admin dashboard (Appearance > Themes) or through the WordPress.org plugin/theme directory.

RemediationAI

Update the Shuttle theme to a version newer than 1.5.0 once available from the theme vendor or WordPress.org. If a patched version is not yet released, mitigate by restricting theme customization and user-generated content capabilities to trusted administrators only, and disable or remove any Shuttle theme features that accept user input (such as custom fields, widget areas, or theme option panels) until a patch is available. Monitor the official Shuttle theme repository and Patchstack advisory database at https://patchstack.com/database/Wordpress/Theme/shuttle/vulnerability/wordpress-shuttle-theme-1-5-0-cross-site-scripting-xss-vulnerability for availability of a patched release.

Share

CVE-2025-62137 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy