Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takimi Themes CarZine allows Reflected XSS.This issue affects CarZine: from n/a through 1.4.6.
Published: 2025-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the Takimi Themes CarZine WordPress theme leads to a reflected XSS vulnerability. An attacker can inject malicious scripts into page responses that the victim's browser will execute, potentially enabling session hijacking, defacement, or other client‑side attacks.

Affected Systems

WordPress installations that use the Takimi Themes CarZine theme with a version number up to and including 1.4.6 are affected. Any site that has not yet upgraded beyond 1.4.6 may be vulnerable if the theme’s input handling remains unchanged.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity. The EPSS score of less than 1 % suggests the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The reflected nature of the flaw allows a remote attacker to craft a URL or form submission that, when visited by a victim user, causes the browser to execute attacker‑supplied scripts. Successful exploitation requires the target site to be publicly accessible and the victim to be tricked into visiting the maliciously crafted link or data‑filled form.

Generated by OpenCVE AI on May 1, 2026 at 08:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CarZine theme to the latest version released after 1.4.6 which contains the XSS fix.
  • If an upgrade is temporarily infeasible, sanitize all user‑supplied data rendered by the theme or use WordPress’s built‑in escaping functions such as esc_html() or esc_attr() to neutralize potential script injections.
  • Implement a strict content security policy (CSP) for the site to limit script execution to trusted sources, mitigating the impact of any residual XSS vectors.

Generated by OpenCVE AI on May 1, 2026 at 08:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15726 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takimi Themes CarZine allows Reflected XSS.This issue affects CarZine: from n/a through 1.4.6.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takimi Themes CarZine carzine allows Reflected XSS.This issue affects CarZine: from n/a through <= 1.4.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takimi Themes CarZine allows Reflected XSS.This issue affects CarZine: from n/a through 1.4.6.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takimi Themes CarZine allows Reflected XSS.This issue affects CarZine: from n/a through 1.4.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takimi Themes CarZine carzine allows Reflected XSS.This issue affects CarZine: from n/a through <= 1.4.6.
References

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takimi Themes CarZine allows Reflected XSS.This issue affects CarZine: from n/a through 1.4.6.
Title WordPress CarZine theme <= 1.4.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:27.381Z

Reserved: 2025-01-16T11:33:14.050Z

Link: CVE-2025-23981

cve-icon Vulnrichment

Updated: 2025-05-19T18:01:52.338Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T16:15:27.560

Modified: 2026-06-17T08:57:50.020

Link: CVE-2025-23981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')