Skip to main content

Trendy Travel EUVDEUVD-2025-210405

| CVE-2025-69153 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-6cxj-rvj8-j8p8
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Remote unauthenticated reflected XSS needing victim click (UI:R); executed script crosses into the WordPress session context (S:C) with limited low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:06 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.

AnalysisAI

Reflected cross-site scripting in the Trendy Travel WordPress theme (versions 6.7 and earlier) by designthemes lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Rated CVSS 7.1 with a scope change (S:C), reflecting that injected script can act across the WordPress security boundary. No public exploit identified at time of analysis, and no EPSS score was supplied.

Technical ContextAI

The affected component is Trendy Travel, a commercial travel-oriented WordPress theme published under the designthemes vendor (CPE cpe:2.3:a:designthemes:trendy_travel). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): a request-derived parameter is reflected back into an HTML response without adequate output encoding or input sanitization, so attacker-controlled markup is parsed as active content by the browser. Because this is a theme (front-end presentation layer), the vulnerable code path is reachable on public-facing pages rendered to any visitor, and the CVSS scope change (S:C) indicates the executed script can affect resources beyond the vulnerable component, e.g. the authenticated WordPress session or admin context.

RemediationAI

No vendor-released patch version is identified in the provided data, so upgrade to a fixed release cannot be cited with an exact number - monitor the designthemes/Trendy Travel changelog and the Patchstack advisory (https://patchstack.com/database/wordpress/theme/trendytravel/vulnerability/wordpress-trendy-travel-theme-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for a version above 6.7 and update as soon as one is released. As compensating controls until a patch is applied, place a Web Application Firewall (such as Patchstack's or a comparable WordPress WAF) in front of the site to filter reflected-XSS payloads in request parameters, which is low-impact but may miss novel encodings; add a restrictive Content-Security-Policy that disallows inline script execution to blunt injected JavaScript, accepting that it can break legitimate inline scripts and require tuning; and if the vulnerable theme endpoint or parameter is non-essential, restrict or block access to it at the reverse proxy, at the cost of any functionality that relies on it.

Share

EUVD-2025-210405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy