Description
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-16
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can be triggered by authenticated Contributors or higher in the Betheme WordPress theme
Action: Apply Patch
AI Analysis

Impact

The Betheme theme contains a Stored Cross‑Site Scripting flaw due to insufficient sanitization of user input in the Button shortcode and Custom CSS fields. Serialized content is rendered without proper escaping, allowing injection of arbitrary JavaScript that executes whenever any user views the affected page. This could enable attackers to steal cookies, hijack sessions, deface content, or execute additional malicious payloads, thereby compromising confidentiality, integrity, and potentially availability.

Affected Systems

All versions of the Betheme theme for WordPress up to and including 28.0.3 are affected. The vendor identified is MuffinGroup, using the Betheme product. No further vendor or product granularity is supplied beyond this range.

Risk and Exploitability

The vulnerability is rated 6.4 on CVSS, indicating a medium severity level. The EPSS score is below 1 %, suggesting a low likelihood of exploitation at the present moment, and the issue is not included in the CISA KEV catalog. The attack vector is authenticated, requiring at least Contributor level access. An attacker with this privilege can edit pages or posts, inject malicious code via the shortcode or custom CSS, and persist it, allowing the script to run on subsequent page loads for all visitors.

Generated by OpenCVE AI on April 21, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Betheme theme to the latest version (greater than 28.0.3) where the input validation and output escaping flaws have been corrected.
  • After updating, audit all pages and posts that previously contained custom CSS or button shortcodes to ensure no residual script remains and remove any unexpected content that may have been stored by an attacker.
  • Re‑evaluate the access permissions for the Contributor role within WordPress to minimize the scope of potential stored‑XSS injection.

Generated by OpenCVE AI on April 21, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11467 The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Jun 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Muffingroup
Muffingroup betheme
CPEs cpe:2.3:a:muffingroup:betheme:*:*:*:*:*:wordpress:*:*
Vendors & Products Muffingroup
Muffingroup betheme

Wed, 16 Apr 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Betheme <= 28.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Muffingroup Betheme
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:17.401Z

Reserved: 2025-03-31T23:24:28.234Z

Link: CVE-2025-3077

cve-icon Vulnrichment

Updated: 2025-04-16T14:11:36.891Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-16T08:15:14.500

Modified: 2025-06-04T22:38:13.343

Link: CVE-2025-3077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses