Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network XSS (PR:N/AV:N/AC:L) requiring victim click (UI:R) with cross-boundary browser execution (S:C) and limited client-side C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
AnalysisAI
Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.
Technical ContextAI
This is a stored or reflected Cross-Site Scripting flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a commercial WordPress theme distributed by designthemes and marketed for beauty-salon and spa websites. The affected component is identified by the CPE cpe:2.3:a:designthemes:spalab_|_beauty_salon_wordpress_theme:*. The root cause class - CWE-79 - means user-controllable input is echoed back into an HTML response without adequate output encoding or input sanitization, so the browser interprets injected markup as executable script. In WordPress themes, such flaws commonly arise from unescaped shortcode attributes, search/form parameters, or template output rendered via PHP echo without esc_html()/esc_attr(). The CVSS scope change (S:C) is consistent with XSS crossing the trust boundary from the vulnerable web application into the victim's browser session.
RemediationAI
No vendor-released patch version is identified in the provided data; the input confirms only that versions up to and including 6.7 are vulnerable, so administrators should upgrade to any designthemes-released version newer than 6.7 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/theme/spalab/vulnerability/wordpress-spalab-beauty-salon-wordpress-theme-theme-6-7-cross-site-scripting-xss-vulnerability) and the vendor's ThemeForest/designthemes changelog. Until a fixed version is confirmed and applied, deploy a Web Application Firewall (such as Patchstack's own vPatch, Wordfence, or ModSecurity with OWASP CRS) to filter XSS payloads targeting the theme's parameters - accepting that WAF rules can produce false positives on legitimate rich content. As an additional compensating control, set a restrictive Content-Security-Policy header to limit inline script execution (trade-off: may break theme features or third-party widgets that rely on inline JS), and restrict or disable any vulnerable theme forms/endpoints that are not business-critical. Verify the exact fixed version before assuming remediation is complete.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210406
GHSA-wr8f-c78x-3pvx