Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in raratheme UltraLight the-ultralight allows Reflected XSS.This issue affects UltraLight: from n/a through <= 1.2.
Published: 2025-01-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during page generation allows attackers to inject malicious scripts that are reflected back to the user, enabling theft of sensitive data or session hijacking. This reflected XSS flaw is based on CWE‑79 and can be triggered by manipulating input parameters that are not sanitized before rendering.

Affected Systems

WordPress theme UltraLight (rarathemes) is affected for all versions up to and including 1.2. No earlier versions are listed, and the issue has not been fixed in the current release line. Administrators should verify whether the installed version falls within the vulnerable range.

Risk and Exploitability

The CVSS score of 7.1 indicates high potential impact. The EPSS score of less than 1% suggests that automated exploitation is currently unlikely, and the vulnerability is not listed in CISA's KEV catalog. The likely attack path relies on a crafted URL or form input that the theme reflects back to the visitor's browser.

Generated by OpenCVE AI on May 1, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UltraLight theme to a version newer than 1.2 or replace it with a secure alternative.
  • If an immediate upgrade is not feasible, restrict the theme's input paths or apply a site‑wide content security policy that blocks inline scripts.
  • Verify that all user‑supplied data is properly encoded or scrubbed before rendering, and test the site for residual XSS vectors.

Generated by OpenCVE AI on May 1, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3592 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rara Theme UltraLight allows Reflected XSS. This issue affects UltraLight: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rara Theme UltraLight allows Reflected XSS. This issue affects UltraLight: from n/a through 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in raratheme UltraLight the-ultralight allows Reflected XSS.This issue affects UltraLight: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 08 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Rarathemes
Rarathemes the Ultralight
CPEs cpe:2.3:a:rarathemes:the_ultralight:*:*:*:*:*:wordpress:*:*
Vendors & Products Rarathemes
Rarathemes the Ultralight

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 14:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rara Theme UltraLight allows Reflected XSS. This issue affects UltraLight: from n/a through 1.2.
Title WordPress UltraLight theme <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Rarathemes The Ultralight
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:44:42.665Z

Reserved: 2025-01-16T11:33:30.631Z

Link: CVE-2025-23998

cve-icon Vulnrichment

Updated: 2025-02-12T20:27:50.009Z

cve-icon NVD

Status : Modified

Published: 2025-01-21T14:15:13.413

Modified: 2026-04-23T15:24:56.363

Link: CVE-2025-23998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses