Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Remote unauthenticated reflected XSS needing victim click (UI:R); executed script crosses into the WordPress session context (S:C) with limited low C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
AnalysisAI
Reflected cross-site scripting in the Trendy Travel WordPress theme (versions 6.7 and earlier) by designthemes lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Rated CVSS 7.1 with a scope change (S:C), reflecting that injected script can act across the WordPress security boundary. No public exploit identified at time of analysis, and no EPSS score was supplied.
Technical ContextAI
The affected component is Trendy Travel, a commercial travel-oriented WordPress theme published under the designthemes vendor (CPE cpe:2.3:a:designthemes:trendy_travel). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): a request-derived parameter is reflected back into an HTML response without adequate output encoding or input sanitization, so attacker-controlled markup is parsed as active content by the browser. Because this is a theme (front-end presentation layer), the vulnerable code path is reachable on public-facing pages rendered to any visitor, and the CVSS scope change (S:C) indicates the executed script can affect resources beyond the vulnerable component, e.g. the authenticated WordPress session or admin context.
RemediationAI
No vendor-released patch version is identified in the provided data, so upgrade to a fixed release cannot be cited with an exact number - monitor the designthemes/Trendy Travel changelog and the Patchstack advisory (https://patchstack.com/database/wordpress/theme/trendytravel/vulnerability/wordpress-trendy-travel-theme-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for a version above 6.7 and update as soon as one is released. As compensating controls until a patch is applied, place a Web Application Firewall (such as Patchstack's or a comparable WordPress WAF) in front of the site to filter reflected-XSS payloads in request parameters, which is low-impact but may miss novel encodings; add a restrictive Content-Security-Policy that disallows inline script execution to blunt injected JavaScript, accepting that it can break legitimate inline scripts and require tuning; and if the vulnerable theme endpoint or parameter is non-essential, restrict or block access to it at the reverse proxy, at the cost of any functionality that relies on it.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210405
GHSA-6cxj-rvj8-j8p8