Skip to main content

CVE-2025-62991

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 12:16 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thinkupthemes Minamaze minamaze allows Stored XSS.This issue affects Minamaze: from n/a through <= 1.10.1.

AnalysisAI

Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.

Technical ContextAI

Minamaze is a WordPress theme developed by thinkupthemes. The vulnerability stems from improper input sanitization and output encoding during web page generation (CWE-79: Improper Neutralization of Input During Web Page Generation). Stored XSS flaws occur when user-supplied input is saved to a database and later rendered without adequate HTML escaping, allowing attackers to inject arbitrary JavaScript that executes in the context of the WordPress admin area or frontend, depending on where the malicious payload is injected. This class of vulnerability is particularly dangerous because the payload persists and affects all subsequent visitors.

Affected ProductsAI

thinkupthemes Minamaze WordPress theme version 1.10.1 and all earlier versions are affected. The vulnerability was reported via Patchstack and is documented in their vulnerability database. Users of Minamaze theme should verify their installed version against the disclosed range to assess exposure.

RemediationAI

Update the thinkupthemes Minamaze theme to a patched version released after 1.10.1. Check the theme's WordPress.org page or the vendor's official website for the latest available version and apply the update through the WordPress theme management interface. If no patched version is immediately available, temporarily restrict user roles with content-creation capabilities (contributors, editors) to trusted administrators only, and review recent post/page modifications for suspicious content. See the Patchstack vulnerability disclosure at https://patchstack.com/database/Wordpress/Theme/minamaze/vulnerability/wordpress-minamaze-theme-1-10-1-cross-site-scripting-xss-vulnerability for additional details and potential vendor advisories.

Share

CVE-2025-62991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy