Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated reflected XSS reachable over the network (PR:N/AV:N) but requiring a victim to click (UI:R), with a scope change into the browser and only low C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
AnalysisAI
Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
The affected component is Artale, a commercial WordPress theme by ThemeGoods marketed for wedding photography sites (CPE cpe:2.3:a:themegoods:artale_|_wedding_photography_wordpress:*). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected into HTML output without proper output encoding or input sanitization. Because the CVSS vector marks it unauthenticated (PR:N), the injectable sink is reachable via a public request path (e.g., a theme parameter, search/form field, or front-end template) rather than an authenticated admin screen, allowing attacker-supplied markup/script to be rendered in the page.
RemediationAI
Upgrade the Artale theme to a fixed release above 2.2.2 once the vendor (ThemeGoods) publishes one; the Patchstack advisory (https://patchstack.com/database/wordpress/theme/artale/vulnerability/wordpress-artale-wedding-photography-wordpress-theme-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve) is the authoritative source for the patched version, which is not stated in the available data. If no fixed version is yet available, apply virtual patching via a WAF or Patchstack's protection module to filter script payloads on the vulnerable request path, and add a restrictive Content-Security-Policy to block inline/injected script execution (side effect: may break legitimate inline scripts and require tuning). As a stronger interim control, restrict or disable the affected front-end feature or switch to an alternate theme on exposed production sites, accepting the loss of that theme's functionality until a patched build is confirmed.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210404
GHSA-jjcv-hgrx-x8hh