Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Punit Bhalodiya Killer Theme Options killer-theme-options allows Reflected XSS.This issue affects Killer Theme Options: from n/a through <= 2.0.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Killer Theme Options plugin’s failure to neutralize user‑supplied input before rendering it, resulting in a reflected XSS flaw. This flaw allows an attacker to embed malicious script into the output that is shown to users who view the affected page, potentially executing arbitrary JavaScript in the victim’s browser. It is classified as CWE‑79.

Affected Systems

All WordPress sites running Punit Bhalodiya's Killer Theme Options plugin version 2.0 or earlier are vulnerable. The issue covers releases from the earliest available version through to version 2.0, so any installation that has not upgraded beyond this point remains at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the nature of reflected XSS, an attacker can exploit the flaw by crafting a URL or form that contains malicious payloads; when a victim follows the link or submits the form, the payload is reflected back into the page and executed in the victim’s browser. The attack can be performed through the public interface of the plugin.

Generated by OpenCVE AI on May 2, 2026 at 11:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Killer Theme Options plugin to the latest available version that removes the XSS vulnerability.
  • If no newer version is available, uninstall or disable the plugin until a fix is released.
  • Deploy a web application firewall or a security plugin that detects and blocks reflected XSS attempts, providing a temporary mitigative layer.

Generated by OpenCVE AI on May 2, 2026 at 11:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5748 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Killer Theme Options allows Reflected XSS. This issue affects Killer Theme Options: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Killer Theme Options allows Reflected XSS. This issue affects Killer Theme Options: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Punit Bhalodiya Killer Theme Options killer-theme-options allows Reflected XSS.This issue affects Killer Theme Options: from n/a through <= 2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Killer Theme Options allows Reflected XSS. This issue affects Killer Theme Options: from n/a through 2.0.
Title WordPress Killer Theme Options plugin <= 2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:10.287Z

Reserved: 2025-01-16T11:25:13.028Z

Link: CVE-2025-23473

cve-icon Vulnrichment

Updated: 2025-03-03T15:56:42.519Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:36.633

Modified: 2026-06-17T08:54:39.063

Link: CVE-2025-23473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:15:19Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')