Skip to main content

Zorka CVE-2025-69096

| EUVDEUVD-2025-208997 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-8mwf-fh3g-cqp9
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2025-208997
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Zorka zorka allows Reflected XSS.This issue affects Zorka: from n/a through <= 1.5.7.

AnalysisAI

G5Theme Zorka WordPress theme versions up to and including 1.5.7 contain a Reflected Cross-Site Scripting (XSS) vulnerability that fails to properly neutralize user input during web page generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, allowing the attacker to execute arbitrary JavaScript in the victim's browser session, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS probability, or KEV status has been assigned, but the vulnerability is confirmed by Patchstack with a clear attack vector.

Technical ContextAI

The vulnerability exists in the G5Theme Zorka WordPress theme (identified via CPE cpe:2.3:a:g5theme:zorka:*:*:*:*:*:*:*:*) and represents a classic CWE-79 Improper Neutralization of Input During Web Page Generation flaw. Specifically, the theme fails to sanitize or encode user-supplied input before rendering it in HTTP responses, allowing attacker-controlled data to be interpreted as executable code within the browser context. This is a reflected XSS vulnerability, meaning the malicious payload is passed through the request itself (typically via URL query parameters or form data) rather than stored server-side, making it suitable for phishing campaigns where victims must be tricked into accessing a crafted link. The root cause is insufficient use of WordPress security functions such as sanitize_text_field(), wp_kses_post(), or esc_html() at the point where user input is rendered in HTML/JavaScript contexts.

RemediationAI

The primary remediation is to upgrade G5Theme Zorka to a version newer than 1.5.7 immediately; check the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Theme/zorka/vulnerability/wordpress-zorka-theme-1-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for the specific patched version available. Until patching is completed, implement defense-in-depth measures including: enforce Content Security Policy (CSP) headers to restrict inline script execution and external script loading; deploy a Web Application Firewall (WAF) to detect and block common XSS payloads in query parameters and form data; apply WordPress security hardening such as disabling direct script access and restricting plugin/theme permissions; and educate users not to click suspicious links from untrusted sources. Additionally, consider applying input validation and output encoding at the application level by reviewing the theme code and ensuring all user-controlled variables are properly sanitized with WordPress functions like sanitize_text_field() and escaped with esc_html() or esc_attr() before rendering.

Share

CVE-2025-69096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy