Skip to main content

Kids Zone Theme EUVDEUVD-2025-210408

| CVE-2025-69156 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-fwm5-jmc4-xhcx
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network reflected XSS (PR:N, AV:N, AC:L) needs victim click (UI:R); script escapes into the browser session (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:07 vuln.today
CVE Published
Jul 02, 2026 - 11:14 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.

AnalysisAI

Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.

Technical ContextAI

The affected component is a WordPress theme (cpe:2.3:a:design_themes:kids_zone_-_children_wordpress_theme) rather than WordPress core, meaning exposure is limited to sites that install this specific theme by DesignThemes. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), i.e. user-controllable input is reflected into an HTML response without adequate output encoding or input sanitization, allowing markup/script injection. Because the vulnerability is unauthenticated and reflected, the malicious payload is typically delivered through a request parameter that the theme echoes back into the rendered page.

RemediationAI

Upgrade the Kids Zone - Children WordPress Theme to a release later than 5.4 as provided by the vendor; however, no vendor-released patch version was identified in the supplied data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/kidszone/vulnerability/wordpress-kids-zone-children-wordpress-theme-theme-5-4-cross-site-scripting-xss-vulnerability) and the DesignThemes changelog for a fixed build before deploying. Until a patched version is confirmed, place the site behind a WAF with XSS/reflected-payload rules (e.g. Patchstack, Wordfence) to filter script injection in request parameters - noting WAF rules can be bypassed by novel encodings and may cause false positives on legitimate rich content - and restrict or disable the specific theme pages/parameters that reflect user input where feasible, accepting the trade-off of reduced site functionality. Ensuring administrators do not click untrusted links to the site and enforcing least-privilege for logged-in sessions further limits the impact of the required user interaction.

Share

EUVD-2025-210408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy