Skip to main content

SpaLab Beauty Salon Theme CVE-2025-69154

| EUVDEUVD-2025-210406 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-wr8f-c78x-3pvx
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS (PR:N/AV:N/AC:L) requiring victim click (UI:R) with cross-boundary browser execution (S:C) and limited client-side C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:06 vuln.today
CVE Published
Jul 02, 2026 - 11:14 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.

AnalysisAI

Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.

Technical ContextAI

This is a stored or reflected Cross-Site Scripting flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a commercial WordPress theme distributed by designthemes and marketed for beauty-salon and spa websites. The affected component is identified by the CPE cpe:2.3:a:designthemes:spalab_|_beauty_salon_wordpress_theme:*. The root cause class - CWE-79 - means user-controllable input is echoed back into an HTML response without adequate output encoding or input sanitization, so the browser interprets injected markup as executable script. In WordPress themes, such flaws commonly arise from unescaped shortcode attributes, search/form parameters, or template output rendered via PHP echo without esc_html()/esc_attr(). The CVSS scope change (S:C) is consistent with XSS crossing the trust boundary from the vulnerable web application into the victim's browser session.

RemediationAI

No vendor-released patch version is identified in the provided data; the input confirms only that versions up to and including 6.7 are vulnerable, so administrators should upgrade to any designthemes-released version newer than 6.7 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/theme/spalab/vulnerability/wordpress-spalab-beauty-salon-wordpress-theme-theme-6-7-cross-site-scripting-xss-vulnerability) and the vendor's ThemeForest/designthemes changelog. Until a fixed version is confirmed and applied, deploy a Web Application Firewall (such as Patchstack's own vPatch, Wordfence, or ModSecurity with OWASP CRS) to filter XSS payloads targeting the theme's parameters - accepting that WAF rules can produce false positives on legitimate rich content. As an additional compensating control, set a restrictive Content-Security-Policy header to limit inline script execution (trade-off: may break theme features or third-party widgets that rely on inline JS), and restrict or disable any vulnerable theme forms/endpoints that are not business-critical. Verify the exact fixed version before assuming remediation is complete.

Share

CVE-2025-69154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy