CVE-2025-63066

MEDIUM
2025-12-09 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 6.5

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Stored XSS.This issue affects Porto Theme - Functionality: from n/a through < 3.7.3.

Analysis

Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.

Technical Context

This vulnerability is a classic stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Porto Theme - Functionality WordPress plugin. The plugin fails to properly sanitize or escape user-supplied input before storing it in the database and rendering it on web pages. Stored XSS vulnerabilities differ from reflected XSS in that the malicious payload persists in the application's data store, affecting any user who views the compromised content. The vulnerability requires an authenticated attacker with low privileges (PR:L per CVSS vector) and user interaction (UI:R), indicating the payload executes when another user views the affected page. This is a server-side input validation and output encoding failure in a WordPress plugin component.

Affected Products

Porto Theme - Functionality plugin for WordPress is affected in all versions from an unspecified baseline through version 3.7.2 inclusive. The vulnerability was patched in version 3.7.3 and later. The plugin is available through the WordPress plugin repository, and detailed vulnerability information is available via Patchstack's WordPress vulnerability database entry for this plugin at the provided reference URL.

Remediation

Website administrators should upgrade the Porto Theme - Functionality plugin to version 3.7.3 or later immediately. This is the primary fix as it includes input sanitization and output encoding improvements to prevent stored XSS injection. Site owners managing multiple WordPress installations should audit user permissions and remove unnecessary contributor or editor-level access from untrusted accounts, reducing the attack surface. Additionally, enable WordPress security hardening practices such as limiting plugin functionality via hooks, disabling unused plugins, and deploying WordPress security plugins that provide XSS detection. Detailed remediation guidance is available in the Patchstack vulnerability database entry linked in the references.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-63066 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy