CVE-2025-25144 - Vulnerability Details

- WordPress Theasys plugin <= 1.0.1 - CSRF to Stored XSS vulnerability

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys theasys allows Stored XSS.This issue affects Theasys: from n/a through <= 1.0.1.

Published: 2025-02-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The reported issue is an improper neutralization of input during web page generation, allowing a stored cross‑site scripting (XSS) attack. An attacker can exploit the plugin’s CSRF weakness to submit malicious scripts that are later displayed to site visitors. The stored XSS can lead to cookie theft, session hijacking, defacement or other malicious payloads that affect all users who view the affected content.

Affected Systems

Vulnerable instances run the Theasys plugin for WordPress, versions up to and including 1.0.1. Any WordPress installation that has not upgraded past this version is at risk.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity with medium impact on confidentiality, integrity and availability. The EPSS score of less than 1% suggests that exploitation is uncommon but not impossible. Because the flaw requires a CSRF vector, an attacker must be able to trick a logged‑in user or administrator into submitting a crafted request; the vulnerability is not active vulnerable from the web server alone. The flaw is not currently listed in the CISA KEV catalog, but its high CVSS makes it a priority for rapid mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

theasys

Theasys

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Theasys plugin to a version newer than 1.0.1.
If an upgrade is not immediately possible, temporarily disable the plugin to prevent further exploitation.
Monitor the site for unexpected script injections and review user‑generated content logs for evidence of stored XSS.

Generated by OpenCVE AI on May 2, 2026 at 04:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4054	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys allows Stored XSS. This issue affects Theasys: from n/a through 1.0.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00269.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/theasys/vulnerability/wordpress-theasys-plugin-1-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys allows Stored XSS. This issue affects Theasys: from n/a through 1.0.1.	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys theasys allows Stored XSS.This issue affects Theasys: from n/a through <= 1.0.1.
References	https://patchstack.com/database/wordpress/plugin/theasys/vulnerability/wordpress-theasys-plugin-1-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/theasys/vulnerability/wordpress-theasys-plugin-1-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 12 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 07 Feb 2025 10:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in theasys Theasys allows Stored XSS. This issue affects Theasys: from n/a through 1.0.1.
Title		WordPress Theasys plugin <= 1.0.1 - CSRF to Stored XSS vulnerability
Weaknesses		CWE-79
References		https://patchstack.com/database/wordpress/plugin/theasys/vulnerability/wordpress-theasys-plugin-1-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-02-07T10:11:55.111Z

Updated: 2026-04-28T16:11:36.470Z

Reserved: 2025-02-03T13:35:08.294Z

Link: CVE-2025-25144

Vulnrichment

Updated: 2025-02-12T20:45:02.662Z

NVD

Status : Deferred

Published: 2025-02-07T10:15:19.553

Modified: 2026-06-17T09:00:22.260

Link: CVE-2025-25144

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object