Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network reflected XSS needing victim interaction (UI:R) but no attacker auth (PR:N); script crosses into site origin (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.
AnalysisAI
Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.
Technical ContextAI
This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue in the Fitness Zone theme, a commercial WordPress front-end theme sold by the vendor 'designthemes' (per CPE cpe:2.3:a:designthemes:fitness_zone_wordpress_theme). The root cause is user-controllable input being reflected into HTML output without proper output encoding or input sanitization, so browser-parsed markup/script survives into the rendered page. In WordPress theme code this typically stems from echoing request parameters (GET/POST, search terms, or shortcode/template attributes) directly without WordPress escaping helpers such as esc_html(), esc_attr(), or wp_kses(). The CVSS scope change (S:C) reflects that script executing in the WordPress origin can reach the broader site/admin context.
RemediationAI
No vendor-released patch version is identified in the provided data (the affected range is '<= 5.7' with no stated fixed release), so the primary action is to update the Fitness Zone theme to any version later than 5.7 once the vendor publishes one and to monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/fitnesszone/vulnerability/wordpress-fitness-zone-wordpress-theme-theme-5-7-cross-site-scripting-xss-vulnerability) for the fixed release. As compensating controls until a patched version is confirmed, deploy a WAF or virtual-patching rule (Patchstack, Wordfence, or equivalent) to filter XSS payloads on the theme's reflected parameters, which adds request-inspection overhead and can occasionally block legitimate rich content; enforce a restrictive Content-Security-Policy that disallows inline script to blunt reflected script execution, noting it may break theme features relying on inline JS; and if the theme is not essential, switch to a maintained theme to eliminate exposure. Because interaction is required, also advise administrators to avoid clicking untrusted links to the site while authenticated.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210407
GHSA-8mp7-55hp-m92p