Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 30.1.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can craft a malicious URL that contains JavaScript, which is reflected in the page output and executed within the user’s browser. The flaw stems from improper neutralization of input during web page generation, allowing reflected cross‑site scripting that can compromise user accounts and data integrity.

Affected Systems

WordPress sites that use the designingmedia Hostiko theme at any version older than 30.1 are susceptible to this issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating a moderate severity. Its EPSS score is less than 1 % and it is not currently listed in the CISA KEV catalog, suggesting a low probability of widespread exploitation. Attacks would rely on social engineering to get users to visit a crafted URL, and no privileged access is required.

Generated by OpenCVE AI on May 1, 2026 at 13:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hostiko theme to version 30.1 or newer.
  • If an upgrade is not possible, sanitize any user‑supplied content rendered by the theme and disable features that expose unsanitized input.
  • Apply a strict content‑security‑policy header to block inline script execution and reduce the impact of any remaining XSS vectors.

Generated by OpenCVE AI on May 1, 2026 at 13:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8218 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko allows Reflected XSS.This issue affects Hostiko: from n/a before 30.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko allows Reflected XSS.This issue affects Hostiko: from n/a before 30.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 30.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko allows Reflected XSS.This issue affects Hostiko: from n/a before 30.1.
Title WordPress Hostiko Theme < 30.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.736Z

Reserved: 2025-02-17T11:52:15.090Z

Link: CVE-2025-27014

cve-icon Vulnrichment

Updated: 2025-03-26T14:52:17.695Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:13.527

Modified: 2026-06-17T09:02:45.727

Link: CVE-2025-27014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:15:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')