Skip to main content

Fitness Zone CVE-2025-69155

| EUVDEUVD-2025-210407 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-8mp7-55hp-m92p
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network reflected XSS needing victim interaction (UI:R) but no attacker auth (PR:N); script crosses into site origin (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:07 vuln.today
CVE Published
Jul 02, 2026 - 11:14 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.

AnalysisAI

Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.

Technical ContextAI

This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue in the Fitness Zone theme, a commercial WordPress front-end theme sold by the vendor 'designthemes' (per CPE cpe:2.3:a:designthemes:fitness_zone_wordpress_theme). The root cause is user-controllable input being reflected into HTML output without proper output encoding or input sanitization, so browser-parsed markup/script survives into the rendered page. In WordPress theme code this typically stems from echoing request parameters (GET/POST, search terms, or shortcode/template attributes) directly without WordPress escaping helpers such as esc_html(), esc_attr(), or wp_kses(). The CVSS scope change (S:C) reflects that script executing in the WordPress origin can reach the broader site/admin context.

RemediationAI

No vendor-released patch version is identified in the provided data (the affected range is '<= 5.7' with no stated fixed release), so the primary action is to update the Fitness Zone theme to any version later than 5.7 once the vendor publishes one and to monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/fitnesszone/vulnerability/wordpress-fitness-zone-wordpress-theme-theme-5-7-cross-site-scripting-xss-vulnerability) for the fixed release. As compensating controls until a patched version is confirmed, deploy a WAF or virtual-patching rule (Patchstack, Wordfence, or equivalent) to filter XSS payloads on the theme's reflected parameters, which adds request-inspection overhead and can occasionally block legitimate rich content; enforce a restrictive Content-Security-Policy that disallows inline script to blunt reflected script execution, noting it may break theme features relying on inline JS; and if the theme is not essential, switch to a maintained theme to eliminate exposure. Because interaction is required, also advise administrators to avoid clicking untrusted links to the site while authenticated.

Share

CVE-2025-69155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy