Avante WordPress Theme
CVE-2025-68524
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requires the victim to click a crafted link; scope changes to the browser origin with limited C/I/A impact on the WordPress session.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Avante < 3.0.5 versions.
AnalysisAI
Reflected cross-site scripting in the Avante WordPress theme versions prior to 3.0.5 allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim clicks a crafted link. Reported by Patchstack with CVSS 7.1 (scope-changed), no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress themes makes this a practical phishing/account-takeover lure against site visitors and logged-in administrators.
Technical ContextAI
Avante is a commercial WordPress theme published by ThemeGoods (CPE cpe:2.3:a:themegoods:avante). The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS variant per Patchstack's advisory title. Reflected XSS occurs when a server-side script echoes attacker-controlled GET/POST input back into an HTML response without proper context-aware encoding, allowing arbitrary JavaScript to execute in the security origin of the WordPress site. The CVSS scope change (S:C) indicates the injected script can affect resources beyond the vulnerable component - typical for browser-rendered XSS where any cookie or DOM in the WordPress origin becomes reachable.
RemediationAI
Upgrade the Avante theme to version 3.0.5 or later via the WordPress admin Appearance > Themes update flow or by manually replacing theme files obtained from ThemeMarket/ThemeForest where Avante is distributed; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/avante/vulnerability/wordpress-avante-theme-3-0-5-reflected-cross-site-scripting-xss-vulnerability for confirmation. If immediate patching is not possible, deploy a WAF rule (e.g., Patchstack, Wordfence, Cloudflare managed WordPress ruleset) to block requests containing common XSS payload signatures targeting Avante theme endpoints, and enforce a strict Content-Security-Policy disallowing inline scripts on the site - note that CSP may break legitimate inline scripts shipped by other themes/plugins and require allowlisting. Administrators should also avoid clicking unsolicited links to the WordPress site while authenticated, and consider routing admin sessions through a separate browser profile to limit blast radius until the upgrade is applied.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today