Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store allows DOM-Based XSS.This issue affects Digi Store: from n/a through 1.1.4.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows an attacker to inject malicious scripts into the browser context. Because the flaw is DOM‑based, an attacker can potentially execute code in the victim’s browser, steal session cookies, redirect users, or deface pages. The weakness is classified as CWE-79.

Affected Systems

The flaw affects the WordPress Digi Store theme by Code Themes, all versions up to and including 1.1.4. No later versions have been verified to contain the fix, so any site that still runs 1.1.4 or earlier is susceptible.

Risk and Exploitability

Based on the description, the likely attack vector is a web‑based route that injects script payloads into the theme’s pages, typically via user‑supplied input reflected in the DOM without proper encoding. The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of public exploitation at this time. The issue is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 2, 2026 at 06:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Digi Store theme version released by Code Themes.
  • If an update is not immediately possible, configure WordPress to use content security policy (CSP) headers that restrict script execution.
  • Sanitize and encode all output generated by the theme by following the principles of CWE‑79 remediation.

Generated by OpenCVE AI on May 2, 2026 at 06:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2753 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store allows DOM-Based XSS.This issue affects Digi Store: from n/a through 1.1.4.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store digi-store allows DOM-Based XSS.This issue affects Digi Store: from n/a through <= 1.1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store allows DOM-Based XSS.This issue affects Digi Store: from n/a through 1.1.4.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store allows DOM-Based XSS.This issue affects Digi Store: from n/a through 1.1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store digi-store allows DOM-Based XSS.This issue affects Digi Store: from n/a through <= 1.1.4.
References

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 17:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Code Themes Digi Store allows DOM-Based XSS.This issue affects Digi Store: from n/a through 1.1.4.
Title WordPress Digi Store theme <= 1.1.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.866Z

Reserved: 2025-01-03T13:16:49.451Z

Link: CVE-2025-22354

cve-icon Vulnrichment

Updated: 2025-01-07T17:53:17.698Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T17:15:33.230

Modified: 2026-04-28T19:28:16.647

Link: CVE-2025-22354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:45:36Z

Weaknesses