Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated XSS requiring a victim click; scope change to admin context yields low C/I/A impact on the WordPress session, consistent with reported vector.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions.
AnalysisAI
Reflected/stored cross-site scripting in the Qreatix WordPress theme (versions 1.9.4 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the victim interacts with a crafted link or page. The flaw is reported by Patchstack and tracked as EUVD-2025-210188; no public exploit identified at time of analysis and no CISA KEV listing. CVSS scope-change rating (7.1) reflects impact on a separate security authority - typically the WordPress admin session of a logged-in user lured to the payload.
Technical ContextAI
Qreatix is a commercial WordPress theme distributed by jkdevstudio (CPE cpe:2.3:a:jkdevstudio:qreatix). The root cause is CWE-79 - improper neutralization of user-supplied input during web page generation - meaning the theme renders attacker-controlled data into HTML/JavaScript context without adequate output encoding or input sanitization. Because the issue is reachable without authentication, the injection point is likely a public-facing theme endpoint (e.g., a search/form parameter, comment field, or shortcode handler) that echoes request data back into a page that may later be viewed by privileged users in the WordPress admin or site frontend.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory does not name a fixed Qreatix release in the supplied data, so administrators should monitor https://patchstack.com/database/wordpress/theme/qreatix/vulnerability/wordpress-qreatix-theme-1-9-4-cross-site-scripting-xss-vulnerability and the jkdevstudio theme page for a 1.9.5+ release and apply it immediately when available. As compensating controls, deploy Patchstack's vPatch or an equivalent WAF rule that blocks XSS payloads on the theme's vulnerable parameters (trade-off: may break legitimate rich-text submissions), enforce a strict Content-Security-Policy that disallows inline script and untrusted script sources (trade-off: may break theme-bundled inline JS, requiring nonce/hash whitelisting), and temporarily switch to an alternate theme if the site cannot tolerate the exposure. Administrators should also avoid clicking suspicious links to their own site while logged in until patched.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210188