CVE-2025-62991

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 12:16 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thinkupthemes Minamaze minamaze allows Stored XSS.This issue affects Minamaze: from n/a through <= 1.10.1.

Analysis

Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.

Technical Context

Minamaze is a WordPress theme developed by thinkupthemes. The vulnerability stems from improper input sanitization and output encoding during web page generation (CWE-79: Improper Neutralization of Input During Web Page Generation). Stored XSS flaws occur when user-supplied input is saved to a database and later rendered without adequate HTML escaping, allowing attackers to inject arbitrary JavaScript that executes in the context of the WordPress admin area or frontend, depending on where the malicious payload is injected. This class of vulnerability is particularly dangerous because the payload persists and affects all subsequent visitors.

Affected Products

thinkupthemes Minamaze WordPress theme version 1.10.1 and all earlier versions are affected. The vulnerability was reported via Patchstack and is documented in their vulnerability database. Users of Minamaze theme should verify their installed version against the disclosed range to assess exposure.

Remediation

Update the thinkupthemes Minamaze theme to a patched version released after 1.10.1. Check the theme's WordPress.org page or the vendor's official website for the latest available version and apply the update through the WordPress theme management interface. If no patched version is immediately available, temporarily restrict user roles with content-creation capabilities (contributors, editors) to trusted administrators only, and review recent post/page modifications for suspicious content. See the Patchstack vulnerability disclosure at https://patchstack.com/database/Wordpress/Theme/minamaze/vulnerability/wordpress-minamaze-theme-1-10-1-cross-site-scripting-xss-vulnerability for additional details and potential vendor advisories.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62991 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy