Description
Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8.
Published: 2025-12-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in Themefy's Bloggie WordPress theme that permits an attacker to inject malicious JavaScript into a reflected parameter. An attacker can craft a URL that, when visited by an authenticated user, will execute script in their browser, allowing session hijacking, cookie theft, defacement, or the execution of arbitrary actions on behalf of that user. This issue combines CSRF (CWE‑352) with reflected XSS, exposing a typical web‑application weak point.

Affected Systems

Affects the Bloggie theme for WordPress distributed by Themefy, all releases up to and including 2.0.8. Sites that still use any 2.0.8 or older version of the theme are vulnerable. The advisory does not list later fix releases, but upgrading to any 2.0.9 or newer version should mitigate the problem.

Risk and Exploitability

The CVSS score of 7.1 classifies the problem as high severity, yet the EPSS score is below 1%, indicating a low current exploitation probability. The vulnerability is not part of the CISA known exploited catalog. Attackers can exploit it remotely via a web browser by delivering a crafted link or form that submits a forged request to the site. No authentication is required for the forged request to trigger the reflected XSS.

Generated by OpenCVE AI on April 30, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bloggie theme to a version newer than 2.0.8, such as 2.0.9 or later.
  • Implement WordPress core nonces or CSRF tokens in all theme-generated form and AJAX requests to validate the origin of the action.
  • Sanitize or escape any data that Bloggie echoes back to the page, ensuring user-supplied input cannot inject JavaScript.
  • Monitor site logs for unexpected script execution or anomalous activity, and consider using a web application firewall that blocks reflected XSS attempts.

Generated by OpenCVE AI on April 30, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through <= 2.0.8. Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8. Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through <= 2.0.8.
References

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8.
Title WordPress Bloggie theme <= 2.0.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:04.342Z

Reserved: 2025-03-26T09:23:42.945Z

Link: CVE-2025-31054

cve-icon Vulnrichment

Updated: 2026-01-02T19:20:11.007Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T20:15:42.500

Modified: 2026-04-28T19:30:56.510

Link: CVE-2025-31054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:30:06Z

Weaknesses