Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fox-themes Prague allows Reflected XSS.

This issue affects Prague: from n/a through 2.2.8.
Published: 2026-06-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Prague plugin for WordPress, provided by Fox‑themes, contains an improper input neutralization flaw that allows reflected cross‑site scripting. This flaw enables an attacker to inject crafted JavaScript into a page that a victim subsequently loads, potentially executing malicious code in the victim’s browser. The impact is the compromise of web‑application integrity and the possible theft of user data or session hijacking via the injected payload. The weakness is classified as CWE‑79, reflecting insufficient sanitization of user‑provided data during page rendering.

Affected Systems

Fox‑themes Prague plugin versions up to and including 2.2.8 are affected. Any WordPress installation that uses these versions is vulnerable, regardless of site role or activity level. The vulnerability does not affect other Fox‑themes plugins or plugins from different vendors.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating a high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Given that it is a reflected XSS flaw, the likely attack vector is through crafted requests to the vulnerable plugin’s input fields or URL parameters. Exploitation does not require privileged access; an attacker can send a malicious link to an unwary user. Because the flaw resides in widely deployed WordPress code, the risk of exploitation is significant, especially for sites that have not upgraded beyond version 2.2.8.

Generated by OpenCVE AI on June 3, 2026 at 13:24 UTC.

Remediation

Vendor Solution

Update the WordPress Prague Plugin to the latest available version (at least 2.2.9).

OpenCVE Recommended Actions

  • Update the WordPress Prague Plugin to version 2.2.9 or later to remove the XSS flaw.
  • Disable or remove the vulnerable plugin from the site if it is no longer required, thereby eliminating the exposure window.
  • Implement a web application firewall rule or enforce a strict Content Security Policy to block reflected XSS payloads as an additional safeguard.

Generated by OpenCVE AI on June 3, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Fox-themes
Fox-themes prague
Wordpress
Wordpress wordpress
Vendors & Products Fox-themes
Fox-themes prague
Wordpress
Wordpress wordpress

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fox-themes Prague allows Reflected XSS. This issue affects Prague: from n/a through 2.2.8.
Title WordPress Prague plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Fox-themes Prague
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-03T12:40:13.270Z

Reserved: 2026-06-03T08:54:38.977Z

Link: CVE-2025-15654

cve-icon Vulnrichment

Updated: 2026-06-03T12:40:08.941Z

cve-icon NVD

Status : Received

Published: 2026-06-03T09:16:12.863

Modified: 2026-06-03T09:16:12.863

Link: CVE-2025-15654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:00:18Z

Weaknesses