Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in joshix Simplish simplish allows Stored XSS.This issue affects Simplish: from n/a through <= 2.6.4.
Published: 2025-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simplish WordPress theme lacks proper input neutralisation when rendering pages, allowing an attacker to store malicious JavaScript that will run in every visitor’s browser. This stored cross‑site scripting flaw permits injection of arbitrary scripts, which can lead to data theft, session hijacking, or site defacement. The weakness corresponds to CWE‑79.

Affected Systems

All installations of the Simplish theme from its initial release through version 2.6.4 are affected. The theme is maintained by the vendor joshix and is distributed as a WordPress plugin. Sites that have not yet upgraded beyond 2.6.4 remain vulnerable.

Risk and Exploitability

The CVSS base score for this flaw is 6.5, indicating a moderate risk level. The EPSS score is below 1 %, suggesting that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is stored XSS via theme configuration or user‑provided content that is rendered without escaping; once injected, the malicious code executes in the browsers of all site visitors. Exploitation would typically require administrative access to modify or add content, but the low public exploitation probability does not negate the potentially serious impact on users.

Generated by OpenCVE AI on May 1, 2026 at 11:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simplish WordPress theme to version 2.6.5 or later, which removes the improper input neutralisation bug.
  • If the upgrade must be delayed, apply a web application firewall rule or configuration that blocks or sanitises JavaScript payloads injected via theme settings or custom fields.
  • Deploy a Content Security Policy that restricts script execution to trusted sources and disallows inline scripts, reducing the impact of any stored XSS payload.

Generated by OpenCVE AI on May 1, 2026 at 11:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9742 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in joshix Simplish allows Stored XSS.This issue affects Simplish: from n/a through 2.6.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in joshix Simplish allows Stored XSS.This issue affects Simplish: from n/a through 2.6.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in joshix Simplish simplish allows Stored XSS.This issue affects Simplish: from n/a through <= 2.6.4.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in joshix Simplish allows Stored XSS.This issue affects Simplish: from n/a through 2.6.4.
Title WordPress Simplish theme <= 2.6.4 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.870Z

Reserved: 2025-01-03T13:15:43.300Z

Link: CVE-2025-22281

cve-icon Vulnrichment

Updated: 2025-04-04T14:00:55.760Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T14:15:21.297

Modified: 2026-06-17T08:46:08.047

Link: CVE-2025-22281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')