Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme invico allows Reflected XSS.This issue affects Invico - WordPress Consulting Business Theme: from n/a through <= 1.9.
Published: 2025-07-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the "Invico - WordPress Consulting Business Theme" where input is not properly neutralized when generating page output. An attacker can inject malicious JavaScript that the victim’s browser will execute when viewing a page, enabling session hijacking, defacement, or other client‑side attacks. This flaw is a classic input validation weakness documented as CWE‑79.

Affected Systems

The flaw affects all installations of Invico version 1.9 or earlier. Any WordPress site that has this theme active is potentially vulnerable; the specific version range is limited to the releases labeled 1.9 and earlier.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity risk, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The likely attack vector is through crafted URLs or input fields that return the attacker’s payload in the page’s HTML, targeting users who load the affected page. Exploitation requires user interaction (e.g., clicking a link) but technical barriers are low, and the flaw can be abused by adversaries with social engineering techniques.

Generated by OpenCVE AI on May 1, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Invico theme to the latest release that removes the reflected XSS flaw
  • If an update is not available, replace the theme with a security‑compliant alternative
  • Add a WAF rule or use a security plugin to detect and block reflected XSS payloads targeting the theme

Generated by OpenCVE AI on May 1, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21616 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme allows Reflected XSS. This issue affects Invico - WordPress Consulting Business Theme: from n/a through 1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme allows Reflected XSS. This issue affects Invico - WordPress Consulting Business Theme: from n/a through 1.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme invico allows Reflected XSS.This issue affects Invico - WordPress Consulting Business Theme: from n/a through <= 1.9.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme allows Reflected XSS. This issue affects Invico - WordPress Consulting Business Theme: from n/a through 1.9.
Title WordPress Invico - WordPress Consulting Business Theme <= 1.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:06.903Z

Reserved: 2025-03-28T11:00:15.484Z

Link: CVE-2025-31427

cve-icon Vulnrichment

Updated: 2025-07-16T20:27:03.464Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:26.170

Modified: 2026-04-23T15:27:48.400

Link: CVE-2025-31427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')