PHP
CVE-2025-63066
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Stored XSS.This issue affects Porto Theme - Functionality: from n/a through < 3.7.3.
AnalysisAI
Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.
Technical ContextAI
This vulnerability is a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Porto Theme - Functionality WordPress plugin. The plugin fails to properly sanitize or escape user-supplied input before storing it in the database and rendering it on web pages. Stored XSS vulnerabilities differ from reflected XSS in that the malicious payload persists in the application's data store, affecting any user who views the compromised content. The vulnerability requires an authenticated attacker with low privileges (PR:L per CVSS vector) and user interaction (UI:R), indicating the payload executes when another user views the affected page. This is a server-side input validation and output encoding failure in a WordPress plugin component.
Affected ProductsAI
Porto Theme - Functionality plugin for WordPress is affected in all versions from an unspecified baseline through version 3.7.2 inclusive. The vulnerability was patched in version 3.7.3 and later. The plugin is available through the WordPress plugin repository, and detailed vulnerability information is available via Patchstack's WordPress vulnerability database entry for this plugin at the provided reference URL.
RemediationAI
Website administrators should upgrade the Porto Theme - Functionality plugin to version 3.7.3 or later immediately. This is the primary fix as it includes input sanitization and output encoding improvements to prevent stored XSS injection. Site owners managing multiple WordPress installations should audit user permissions and remove unnecessary contributor or editor-level access from untrusted accounts, reducing the attack surface. Additionally, enable WordPress security hardening practices such as limiting plugin functionality via hooks, disabling unused plugins, and deploying WordPress security plugins that provide XSS detection. Detailed remediation guidance is available in the Patchstack vulnerability database entry linked in the references.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today