Description
The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-01-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Custom JS
Action: Immediate Patch
AI Analysis

Impact

The Betheme plugin for WordPress contains an insufficient input sanitization flaw in its custom JavaScript feature. An authenticated attacker with contributor‑level rights or higher can store malicious scripts in page attributes that get rendered without proper escaping. When any visitor loads the affected page, the injected code runs in the victim’s browser, allowing attackers to steal session cookies, hijack accounts, deface content, or launch further phishing attacks. This constitutes a classic stored XSS that can compromise confidentiality, integrity, and availability of user sessions.

Affected Systems

The vulnerability affects all Betheme installations provided by MuffinGroup for WordPress from the earliest release up to and including version 27.6.1. Each affected installation allows contributors and higher‑level users to insert custom JavaScript into pages, making all users of that site potentially vulnerable.

Risk and Exploitability

The CVSS score is 6.4, indicating moderate severity, while the EPSS score of less than 1% suggests a low likelihood of immediate exploitation at this time. The flaw is not listed in CISA’s KEV catalog. Because exploitation requires authenticated contributor or higher access, an attacker must first obtain legitimate credentials or compromise an existing contributor account. Once authenticated, the attacker simply inserts malicious JavaScript in the custom JS field through the plugin’s UI, which is then served to all visitors. The impact can be severe if the script performs credential theft or defacement, but the current exploitation probability remains low.

Generated by OpenCVE AI on April 22, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Betheme to version 27.6.2 or later, which removes the vulnerable custom JS handling.
  • If an upgrade is not feasible, disable the custom JavaScript feature in the plugin’s settings or delete any existing custom JS blocks from affected pages.
  • Restrict contributor and higher‑level roles to trusted users only and monitor the CMS for unexpected script insertions.

Generated by OpenCVE AI on April 22, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1681 The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 05 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Muffingroup
Muffingroup betheme
CPEs cpe:2.3:a:muffingroup:betheme:*:*:*:*:*:wordpress:*:*
Vendors & Products Muffingroup
Muffingroup betheme

Tue, 21 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 11:15:00 +0000

Type Values Removed Values Added
Description The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Betheme <= 27.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Muffingroup Betheme
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:39.645Z

Reserved: 2025-01-13T22:51:43.424Z

Link: CVE-2025-0450

cve-icon Vulnrichment

Updated: 2025-01-21T16:04:52.473Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-21T11:15:10.593

Modified: 2025-06-05T14:26:26.440

Link: CVE-2025-0450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses