Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS.
This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2.
AnalysisAI
Reflected cross-site scripting in Jthemes' Themebox - Digital Products Ecommerce WordPress theme (versions through 1.4.2) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. With CVSS 7.1 (scope-changed, low impact across confidentiality, integrity and availability), successful exploitation can hijack session context or perform actions in the WordPress admin/store context, though it requires the victim to click an attacker-supplied URL. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), indicating minimal observed exploitation interest.
Technical ContextAI
Themebox - Digital Products Ecommerce is a commercial WordPress theme by Jthemes used to build digital-product storefronts. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the root cause class for cross-site scripting: attacker-controlled input is reflected back into an HTML response without proper output encoding or contextual sanitization. Because this is reflected XSS, the malicious payload is not stored server-side but is delivered through a request parameter that the theme echoes into a generated page. No CPE strings were supplied in the input; the affected component is identified through the Patchstack/EUVD advisory and version data rather than NVD CPE configurations.
RemediationAI
No vendor-released patch version is identified in the available data; the supplied references include only the Patchstack advisory and do not name a fixed release, so administrators should consult the Patchstack entry (https://patchstack.com/database/wordpress/theme/themebox/vulnerability/wordpress-themebox-digital-products-ecommerce-theme-1-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve) and the Jthemes vendor channel for any release newer than 1.4.2 and upgrade as soon as one is published. Until a fixed version is confirmed, compensating controls include deploying a WordPress-aware web application firewall or virtual patch (Patchstack offers one for this CVE) to filter reflected-XSS payloads in request parameters; adding a restrictive Content-Security-Policy header to constrain inline/external script execution (trade-off: may break legitimate theme scripts and require tuning); and setting HttpOnly on session cookies to blunt cookie theft (trade-off: does not stop DOM actions or non-cookie attacks). Avoid following untrusted links to the affected site and consider restricting or monitoring access to admin pages.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209960
GHSA-c7x5-qpfw-5h38