EUVD-2025-208997
GHSA-8mwf-fh3g-cqp9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Zorka zorka allows Reflected XSS.This issue affects Zorka: from n/a through <= 1.5.7.
Analysis
G5Theme Zorka WordPress theme versions up to and including 1.5.7 contain a Reflected Cross-Site Scripting (XSS) vulnerability that fails to properly neutralize user input during web page generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, allowing the attacker to execute arbitrary JavaScript in the victim's browser session, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS probability, or KEV status has been assigned, but the vulnerability is confirmed by Patchstack with a clear attack vector.
Technical Context
The vulnerability exists in the G5Theme Zorka WordPress theme (identified via CPE cpe:2.3:a:g5theme:zorka:*:*:*:*:*:*:*:*) and represents a classic CWE-79 Improper Neutralization of Input During Web Page Generation flaw. Specifically, the theme fails to sanitize or encode user-supplied input before rendering it in HTTP responses, allowing attacker-controlled data to be interpreted as executable code within the browser context. This is a reflected XSS vulnerability, meaning the malicious payload is passed through the request itself (typically via URL query parameters or form data) rather than stored server-side, making it suitable for phishing campaigns where victims must be tricked into accessing a crafted link. The root cause is insufficient use of WordPress security functions such as sanitize_text_field(), wp_kses_post(), or esc_html() at the point where user input is rendered in HTML/JavaScript contexts.
Affected Products
G5Theme Zorka WordPress theme is affected in all versions from the beginning through and including version 1.5.7, as confirmed by the CPE cpe:2.3:a:g5theme:zorka:*:*:*:*:*:*:*:*. The ENISA EUVD database (EUVD-2025-208997) confirms the affected version range as Zorka n/a through 1.5.7. Patchstack has published details of the vulnerability in their vulnerability database at https://patchstack.com/database/Wordpress/Theme/zorka/vulnerability/wordpress-zorka-theme-1-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Any WordPress installation using Zorka theme at version 1.5.7 or earlier should be considered vulnerable.
Remediation
The primary remediation is to upgrade G5Theme Zorka to a version newer than 1.5.7 immediately; check the vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Theme/zorka/vulnerability/wordpress-zorka-theme-1-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for the specific patched version available. Until patching is completed, implement defense-in-depth measures including: enforce Content Security Policy (CSP) headers to restrict inline script execution and external script loading; deploy a Web Application Firewall (WAF) to detect and block common XSS payloads in query parameters and form data; apply WordPress security hardening such as disabling direct script access and restricting plugin/theme permissions; and educate users not to click suspicious links from untrusted sources. Additionally, consider applying input validation and output encoding at the application level by reviewing the theme code and ensuring all user-controlled variables are properly sanitized with WordPress functions like sanitize_text_field() and escaped with esc_html() or esc_attr() before rendering.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today