Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detheme DethemeKit For Elementor dethemekit-for-elementor allows Stored XSS.This issue affects DethemeKit For Elementor: from n/a through <= 2.1.8.
Published: 2025-02-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DeThemeKit For Elementor allows users to store arbitrary scripts that are later rendered in the browser without proper sanitization. The Stored XSS flaw permits an attacker to inject JavaScript into the site’s page output, which can lead to cookie theft, session hijacking, defacement, or other client-side attacks. This weakness corresponds to CWE‑79: Improper Neutralization of Input.

Affected Systems

The vulnerability exists in all releases of DeThemeKit For Elementor up to and including version 2.1.8. WordPress sites that have the plugin installed and are running any of those versions are exposed until the issue is corrected by a newer release.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact. The EPSS score of less than 1 % suggests that exploitation is unlikely but not impossible, especially for targeted attacks. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is the ability to create or edit content through the DeThemeKit plugin, which stores the malicious payload and renders it to visitors. The attacker would need a role with content authoring privileges, or, alternatively, exploit a compromised account to inject the script.

Generated by OpenCVE AI on May 2, 2026 at 04:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DeThemeKit For Elementor to the latest version (>= 2.1.9) or later, which removes the XSS flaw.
  • If an upgrade is not feasible, disable or uninstall the plugin to eliminate the attack surface.
  • Implement a web application firewall rule to block injection of script tags or other suspicious payloads in content submission fields.

Generated by OpenCVE AI on May 2, 2026 at 04:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4874 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detheme DethemeKit For Elementor allows Stored XSS. This issue affects DethemeKit For Elementor: from n/a through 2.1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detheme DethemeKit For Elementor allows Stored XSS. This issue affects DethemeKit For Elementor: from n/a through 2.1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detheme DethemeKit For Elementor dethemekit-for-elementor allows Stored XSS.This issue affects DethemeKit For Elementor: from n/a through <= 2.1.8.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00054}

 epss

{'score': 0.00024}

Thu, 20 Mar 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Detheme
Detheme dethemekit For Elementor
CPEs cpe:2.3:a:detheme:dethemekit_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Detheme
Detheme dethemekit For Elementor

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 17 Feb 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detheme DethemeKit For Elementor allows Stored XSS. This issue affects DethemeKit For Elementor: from n/a through 2.1.8.
Title WordPress DethemeKit For Elementor plugin <= 2.1.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Detheme Dethemekit For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:41.000Z

Reserved: 2025-02-14T06:53:43.229Z

Link: CVE-2025-26772

cve-icon Vulnrichment

Updated: 2025-02-18T15:09:10.890Z

cve-icon NVD

Status : Modified

Published: 2025-02-17T12:15:28.980

Modified: 2026-04-23T15:25:57.277

Link: CVE-2025-26772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:30:16Z

Weaknesses