CVE-2025-26934 - Vulnerability Details

- WordPress Glossy Blog theme <= 1.0.3 - Cross Site Scripting (XSS) vulnerability

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog glossy-blog allows Stored XSS.This issue affects Glossy Blog: from n/a through <= 1.0.3.

Published: 2025-04-15

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject arbitrary scripts into the Glossy Blog theme, enabling malicious code to run in the browsers of site visitors.

Affected Systems

The flaw affects the WordPress Glossy Blog theme from version n/a through 1.0.3, which is used on any WordPress installation with that theme active.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS score is below 1 percent, suggesting a low probability of exploitation at present, and the vulnerability is not currently listed in the CISA KEV catalog. The typical attack vector is an attacker who gains the ability to create or edit content within the theme, such as a contributor or admin user. The malicious script would then be presented to all users who view the affected page, leading to potential data theft or defacement.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

graphthemes

Glossy Blog

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest version of the Glossy Blog theme (>=1.0.4) which removes the stored XSS issue.
Disable or remove any user roles that can insert unfiltered HTML into the site, such as limiting contributor capabilities.
If an upgrade cannot be applied immediately, sanitize or escape all content rendered by the theme, or deactivate the theme until a patch is available.

Generated by OpenCVE AI on May 1, 2026 at 10:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-11115	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog allows Stored XSS. This issue affects Glossy Blog: from n/a through 1.0.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00215.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/glossy-blog/vulnerability/wordpress-glossy-blog-theme-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog allows Stored XSS. This issue affects Glossy Blog: from n/a through 1.0.3.	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog glossy-blog allows Stored XSS.This issue affects Glossy Blog: from n/a through <= 1.0.3.
References	https://patchstack.com/database/wordpress/theme/glossy-blog/vulnerability/wordpress-glossy-blog-theme-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Theme/glossy-blog/vulnerability/wordpress-glossy-blog-theme-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 16 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 15 Apr 2025 22:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog allows Stored XSS. This issue affects Glossy Blog: from n/a through 1.0.3.
Title		WordPress Glossy Blog theme <= 1.0.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses		CWE-79
References		https://patchstack.com/database/wordpress/theme/glossy-blog/vulnerability/wordpress-glossy-blog-theme-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-15T21:53:12.631Z

Updated: 2026-04-28T16:11:44.291Z

Reserved: 2025-02-17T11:51:10.110Z

Link: CVE-2025-26934

Vulnrichment

Updated: 2025-04-16T13:37:52.292Z

NVD

Status : Deferred

Published: 2025-04-15T22:15:18.607

Modified: 2026-06-17T09:02:37.750

Link: CVE-2025-26934

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object