Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twh offset writing allows Reflected XSS.This issue affects offset writing: from n/a through 1.2.
Published: 2025-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation (Cross‑Site Scripting). An attacker can inject malicious script into a URL or form that, when processed by the offset‑writing theme, is reflected back to the victim’s browser. The impact is the ability to execute arbitrary code in the context of the victim’s session, potentially leading to data theft, session hijacking, or defacement. The weakness is consistent with CWE‑79.

Affected Systems

The offset‑writing theme for WordPress, developed by twh, is affected. Any installation of the theme dated from the initial release through version 1.2 is vulnerable. Versions beyond 1.2 are not listed as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to craft a malicious URL or input that is accepted by the theme’s rendering logic; the victim must then visit the reflected page. Because the attack vector is presented via a reflected input it is likely to be executed through phishing or compromise of a link.

Generated by OpenCVE AI on May 1, 2026 at 08:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the offset writing theme to version 1.3 or later, which removes the reflection flaw.
  • Validate and escape all user‑supplied input before rendering. If you cannot update immediately, disable the theme’s vulnerable modules that perform output without escaping.
  • Apply a content‑security‑policy that restricts script sources and mitigates the impact of any residual XSS attempts.

Generated by OpenCVE AI on May 1, 2026 at 08:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15729 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twh offset writing allows Reflected XSS.This issue affects offset writing: from n/a through 1.2.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twh offset writing offset-writing allows Reflected XSS.This issue affects offset writing: from n/a through <= 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twh offset writing allows Reflected XSS.This issue affects offset writing: from n/a through 1.2.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twh offset writing allows Reflected XSS.This issue affects offset writing: from n/a through 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twh offset writing offset-writing allows Reflected XSS.This issue affects offset writing: from n/a through <= 1.2.
References

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in twh offset writing allows Reflected XSS.This issue affects offset writing: from n/a through 1.2.
Title WordPress offset writing theme <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:07.506Z

Reserved: 2025-01-07T21:05:18.434Z

Link: CVE-2025-22791

cve-icon Vulnrichment

Updated: 2025-05-19T16:51:55.261Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T16:15:27.047

Modified: 2026-04-28T19:28:37.167

Link: CVE-2025-22791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses