Skip to main content

Qreatix CVE-2025-69104

| EUVDEUVD-2025-210188 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated XSS requiring a victim click; scope change to admin context yields low C/I/A impact on the WordPress session, consistent with reported vector.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:06 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions.

AnalysisAI

Reflected/stored cross-site scripting in the Qreatix WordPress theme (versions 1.9.4 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the victim interacts with a crafted link or page. The flaw is reported by Patchstack and tracked as EUVD-2025-210188; no public exploit identified at time of analysis and no CISA KEV listing. CVSS scope-change rating (7.1) reflects impact on a separate security authority - typically the WordPress admin session of a logged-in user lured to the payload.

Technical ContextAI

Qreatix is a commercial WordPress theme distributed by jkdevstudio (CPE cpe:2.3:a:jkdevstudio:qreatix). The root cause is CWE-79 - improper neutralization of user-supplied input during web page generation - meaning the theme renders attacker-controlled data into HTML/JavaScript context without adequate output encoding or input sanitization. Because the issue is reachable without authentication, the injection point is likely a public-facing theme endpoint (e.g., a search/form parameter, comment field, or shortcode handler) that echoes request data back into a page that may later be viewed by privileged users in the WordPress admin or site frontend.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory does not name a fixed Qreatix release in the supplied data, so administrators should monitor https://patchstack.com/database/wordpress/theme/qreatix/vulnerability/wordpress-qreatix-theme-1-9-4-cross-site-scripting-xss-vulnerability and the jkdevstudio theme page for a 1.9.5+ release and apply it immediately when available. As compensating controls, deploy Patchstack's vPatch or an equivalent WAF rule that blocks XSS payloads on the theme's vulnerable parameters (trade-off: may break legitimate rich-text submissions), enforce a strict Content-Security-Policy that disallows inline script and untrusted script sources (trade-off: may break theme-bundled inline JS, requiring nonce/hash whitelisting), and temporarily switch to an alternate theme if the site cannot tolerate the exposure. Administrators should also avoid clicking suspicious links to their own site while logged in until patched.

Share

CVE-2025-69104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy