Skip to main content

Artale WordPress Theme EUVDEUVD-2025-210404

| CVE-2025-69152 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-jjcv-hgrx-x8hh
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated reflected XSS reachable over the network (PR:N/AV:N) but requiring a victim to click (UI:R), with a scope change into the browser and only low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:06 vuln.today
CVE Published
Jul 02, 2026 - 11:14 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.

AnalysisAI

Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

The affected component is Artale, a commercial WordPress theme by ThemeGoods marketed for wedding photography sites (CPE cpe:2.3:a:themegoods:artale_|_wedding_photography_wordpress:*). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected into HTML output without proper output encoding or input sanitization. Because the CVSS vector marks it unauthenticated (PR:N), the injectable sink is reachable via a public request path (e.g., a theme parameter, search/form field, or front-end template) rather than an authenticated admin screen, allowing attacker-supplied markup/script to be rendered in the page.

RemediationAI

Upgrade the Artale theme to a fixed release above 2.2.2 once the vendor (ThemeGoods) publishes one; the Patchstack advisory (https://patchstack.com/database/wordpress/theme/artale/vulnerability/wordpress-artale-wedding-photography-wordpress-theme-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve) is the authoritative source for the patched version, which is not stated in the available data. If no fixed version is yet available, apply virtual patching via a WAF or Patchstack's protection module to filter script payloads on the vulnerable request path, and add a restrictive Content-Security-Policy to block inline/injected script execution (side effect: may break legitimate inline scripts and require tuning). As a stronger interim control, restrict or disable the affected front-end feature or switch to an alternate theme on exposed production sites, accepting the loss of that theme's functionality until a patched build is confirmed.

Share

EUVD-2025-210404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy