Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network reflected XSS (PR:N, AV:N, AC:L) needs victim click (UI:R); script escapes into the browser session (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.
AnalysisAI
Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.
Technical ContextAI
The affected component is a WordPress theme (cpe:2.3:a:design_themes:kids_zone_-_children_wordpress_theme) rather than WordPress core, meaning exposure is limited to sites that install this specific theme by DesignThemes. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), i.e. user-controllable input is reflected into an HTML response without adequate output encoding or input sanitization, allowing markup/script injection. Because the vulnerability is unauthenticated and reflected, the malicious payload is typically delivered through a request parameter that the theme echoes back into the rendered page.
RemediationAI
Upgrade the Kids Zone - Children WordPress Theme to a release later than 5.4 as provided by the vendor; however, no vendor-released patch version was identified in the supplied data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/kidszone/vulnerability/wordpress-kids-zone-children-wordpress-theme-theme-5-4-cross-site-scripting-xss-vulnerability) and the DesignThemes changelog for a fixed build before deploying. Until a patched version is confirmed, place the site behind a WAF with XSS/reflected-payload rules (e.g. Patchstack, Wordfence) to filter script injection in request parameters - noting WAF rules can be bypassed by novel encodings and may cause false positives on legitimate rich content - and restrict or disable the specific theme pages/parameters that reflect user input where feasible, accepting the trade-off of reduced site functionality. Ensuring administrators do not click untrusted links to the site and enforcing least-privilege for logged-in sessions further limits the impact of the required user interaction.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210408
GHSA-fwm5-jmc4-xhcx