Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle themeisle-companion allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through <= 2.10.44.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by improper neutralization of user input during WordPress page generation. Stored XSS can be introduced through the plugin, causing malicious scripts to be rendered and executed whenever a page that includes the compromised content is loaded by a visitor. The injected code runs within the context of the site and can perform attacks such as defacing, redirecting visitors, or providing a vector for additional exploitation.

Affected Systems

WordPress installations that use the Themeisle Orbit Fox by ThemeIsle plugin version 2.10.44 or earlier are affected. The plugin is distributed as a WordPress plugin named Orbit Fox by ThemeIsle.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate impact, while the EPSS score of less than 1 % shows a low likelihood of exploitation at this time. The flaw is not listed in CISA KEV. The stored XSS can likely be triggered by submitting content through any input field processed by the plugin; it requires the attacker to inject malicious code into that content and is then rendered to all users who view the page.

Generated by OpenCVE AI on May 2, 2026 at 03:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Orbit Fox by ThemeIsle plugin to a version newer than 2.10.44 to remove the stored XSS flaw.
  • If an update is not immediately possible, deactivate or delete the plugin to eliminate the vulnerability.
  • As a temporary measure, restrict the submission of user‑generated content processed by the plugin and ensure any remaining input is sanitized before rendering.

Generated by OpenCVE AI on May 2, 2026 at 03:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8456 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through 2.10.44.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through 2.10.44. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle themeisle-companion allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through <= 2.10.44.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 08 Jul 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle orbit Fox
CPEs cpe:2.3:a:themeisle:orbit_fox:*:*:*:*:*:wordpress:*:*
Vendors & Products Themeisle
Themeisle orbit Fox

Thu, 27 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through 2.10.44.
Title WordPress Orbit Fox by ThemeIsle plugin <= 2.10.44 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Themeisle Orbit Fox
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:03.821Z

Reserved: 2025-01-07T21:02:51.800Z

Link: CVE-2025-22659

cve-icon Vulnrichment

Updated: 2025-03-27T18:17:12.921Z

cve-icon NVD

Status : Modified

Published: 2025-03-27T15:15:58.283

Modified: 2026-04-23T15:23:20.777

Link: CVE-2025-22659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:15:06Z

Weaknesses