Skip to main content

Prague (WordPress theme) EUVDEUVD-2025-210045

| CVE-2025-15654 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-03 Patchstack GHSA-28vp-6rv7-m976
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 03, 2026 - 09:13 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fox-themes Prague allows Reflected XSS.

This issue affects Prague: from n/a through 2.2.8.

AnalysisAI

Reflected cross-site scripting in Fox-themes Prague (WordPress theme/plugin family) through version 2.2.8 lets a remote attacker inject script that executes in a victim's browser when the victim clicks an attacker-crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 (scope-changed) rating; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Technical ContextAI

The root cause is CWE-79 - improper neutralization of input during web page generation - meaning user-supplied input is reflected into HTML output without contextual encoding or sanitization. The affected component is Fox-themes' Prague, distributed via WordPress (per the Patchstack reference, the entry is filed under prague-plugins). Because WordPress themes/plugins render parameters directly into pages via PHP echo statements, an unsanitized GET/POST parameter is reflected into the response, allowing an injected <script> or HTML event handler to execute in the victim's session against the WordPress site origin. The CPE cpe:2.3:a:fox-themes:prague:*:*:*:*:*:*:*:* covers all released versions up to and including 2.2.8.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied data - the Patchstack entry covers Prague through 2.2.8 without an explicit fixed-version citation in the input, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/prague-plugins/vulnerability/wordpress-prague-plugin-2-2-8-cross-site-scripting-xss-vulnerability and upgrade to any post-2.2.8 release published by Fox-themes once available. As compensating controls, deploy a WAF rule (Patchstack, Wordfence, or equivalent) to filter reflected XSS payloads against Prague's vulnerable endpoint(s), set a strict Content-Security-Policy that disallows inline scripts (trade-off: may break theme features that rely on inline JS), and require admins to authenticate to wp-admin only from a separate browser profile to limit session-theft impact from a clicked link. If the theme is not actively used, deactivate and remove it.

Share

EUVD-2025-210045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy