Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeix Churel allows DOM-Based XSS.This issue affects Churel: from n/a through 1.0.8.
Published: 2025-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‐generated input during web page rendering creates a DOM‑based cross‑site scripting flaw. When a victim visits a crafted URL or submits a malicious form, the plugin’s code injects arbitrary JavaScript into the page, enabling an attacker to steal session cookies, deface the site, or redirect users to malicious domains. The vulnerability is classified as CWE‑79.

Affected Systems

WordPress sites that have installed the Churel plugin from Themeix, including all releases through version 1.0.8. Any user visiting a page that renders the plugin’s output can be exposed to the flaw.

Risk and Exploitability

With a CVSS score of 6.5 the flaw is of moderate severity, but the EPSS score of <1% indicates a low probability of exploitation in the wild, and it is not currently listed in the CISA KEV catalog. The exploit requires a user to load a vulnerable page—typically a crafted link or form submission—so an attacker can trigger code execution by delivering malicious input to the plugin’s processing logic.

Generated by OpenCVE AI on May 1, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Churel plugin to the latest available version or apply a vendor‑provided patch.
  • If no update is immediately available, temporarily disable the Churel plugin until a fix is released.
  • Implement a strict Content Security Policy that disallows inline scripts from untrusted sources to mitigate potential exploitation while awaiting a permanent fix.

Generated by OpenCVE AI on May 1, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8739 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeix Churel allows DOM-Based XSS.This issue affects Churel: from n/a through 1.0.8.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeix Churel churel allows DOM-Based XSS.This issue affects Churel: from n/a through <= 1.0.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeix Churel allows DOM-Based XSS.This issue affects Churel: from n/a through 1.0.8.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeix Churel allows DOM-Based XSS.This issue affects Churel: from n/a through 1.0.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeix Churel churel allows DOM-Based XSS.This issue affects Churel: from n/a through <= 1.0.8.
References

Mon, 31 Mar 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeix Churel allows DOM-Based XSS.This issue affects Churel: from n/a through 1.0.8.
Title WordPress Churel plugin <= 1.0.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:06.826Z

Reserved: 2025-03-28T11:00:03.509Z

Link: CVE-2025-31419

cve-icon Vulnrichment

Updated: 2025-03-31T12:28:09.638Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T11:15:39.827

Modified: 2026-04-28T19:31:02.437

Link: CVE-2025-31419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:15:07Z

Weaknesses