Description
The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Puzzles WordPress theme contains a stored cross‑site scripting flaw that can be triggered via shortcodes in content written by users with contributor or higher permissions. The vulnerability stems from inadequate sanitization of user‑supplied shortcode attributes and the failure to escape output before rendering it in pages. An attacker who can create or edit content can embed malicious JavaScript, which will run in the browsers of anyone who visits the affected page. The description explicitly states that the flaw is exploitable by authenticated users, implying that the attack vector requires login and sufficient role privileges, but the exact method of injection is not detailed in the advisory.

Affected Systems

WordPress installations that use the ThemeREX Puzzles theme (WP Magazine / Review with Store) with a version of 4.2.6 or earlier are affected. No additional product or version details are provided beyond the theme name and the upper bound version.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity impact, while the EPSS score of less than 1% suggests the likelihood of exploitation is currently very low. The vulnerability is not listed in CISA’s KEV catalog. Because only authenticated users with contributor-level or higher access can inject scripts, the risk is confined to sites where such roles exist and are granted the ability to edit or publish posts. If an attacker gains this level of access, they can compromise the integrity and confidentiality of any visitor’s browser session, potentially leading to credential theft or session hijacking.

Generated by OpenCVE AI on April 22, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact ThemeREX to obtain an updated Puzzles theme or a security patch that fixes the shortcode XSS vulnerability.
  • Restrict contributor and other content‑author roles from editing or publishing posts that contain shortcodes, or disable shortcode functionality if not needed.
  • If an update or patch is not immediately available, implement a shortcode filtering plugin that sanitizes attributes to remove disallowed JavaScript before rendering.

Generated by OpenCVE AI on April 22, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1888 The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Puzzles <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Puzzles <= 4.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00019}

 epss

{'score': 0.00021}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00037}

 epss

{'score': 0.00019}

Tue, 25 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex puzzles
CPEs cpe:2.3:a:themerex:puzzles:*:*:*:*:*:wordpress:*:*
Vendors & Products Themerex
Themerex puzzles

Thu, 13 Feb 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Puzzles <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Themerex Puzzles
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:02.444Z

Reserved: 2025-01-29T14:15:22.616Z

Link: CVE-2025-0837

cve-icon Vulnrichment

Updated: 2025-02-13T19:15:08.379Z

cve-icon NVD

Status : Modified

Published: 2025-02-13T05:15:14.623

Modified: 2026-04-08T18:23:04.420

Link: CVE-2025-0837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses