Impact
The Multifox theme contains a stored cross‑site scripting flaw that can be triggered by improperly neutralized user input. When malicious code is entered into a form or content area, the theme stores it without sanitization and later renders it to visitors, causing the script to run in their browsers. This content‑injection weakness (CWE‑79) allows an attacker to execute arbitrary JavaScript, potentially hijacking sessions, defacing the site, or stealing data from users.
Affected Systems
All WordPress sites using Creative Brahma Multifox version 1.3.7 or earlier are affected. The vulnerability exists in every release from the earliest available version through 1.3.7, so any site that has not upgraded beyond that point is vulnerable.
Risk and Exploitability
The CVSS score of 6.5 places the vulnerability in a moderate risk category, while the EPSS score of less than 1% suggests that exploitation opportunities are currently rare and it is not listed in the CISA KEV catalog. Attackers would need to inject malicious content through a theme input or content entry point; once stored, the script executes for any visitor who loads the affected page, reflecting the typical attack path for stored XSS weaknesses.
OpenCVE Enrichment
EUVD