Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.
Published: 2025-06-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Spare WordPress theme contains an improper neutralization of user input during web page rendering, allowing attackers to inject arbitrary JavaScript that is reflected back to victims. This reflected XSS flaw can be used to hijack sessions, steal credentials, deface content, or redirect users to malicious sites, thereby compromising confidentiality, integrity, and potentially availability of the site’s users.

Affected Systems

WordPress users running themeton’s Spare theme versions up to and including 1.7 are affected. All releases prior to 1.8 contain the unsafe input handling that leads to reflected XSS.

Risk and Exploitability

The flaw carries a CVSS score of 7.1, an EPSS score of less than 1%, and is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability simply by delivering a crafted link or form to a victim; no authentication or privilege escalation is required. The low EPSS suggests opportunistic exploitation, but the high impact of reflected XSS still warrants immediate attention.

Generated by OpenCVE AI on April 30, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Spare theme to the latest version (1.8 or higher) that eliminates the reflected XSS issue.
  • If an upgrade is not yet possible, implement a web application firewall rule or input filter that blocks or sanitizes script payloads when users interact with the Spare theme pages.
  • If the Spare theme is not essential, consider disabling or removing it until a safe version can be applied.

Generated by OpenCVE AI on April 30, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17504 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare spare allows Reflected XSS.This issue affects Spare: from n/a through <= 1.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.
Title WordPress Spare theme <= 1.7 - Cross Site Scripting (XSS) Vulnerability WordPress Spare <= 1.7 - Cross Site Scripting (XSS) Vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare spare allows Reflected XSS.This issue affects Spare: from n/a through <= 1.7.
Title WordPress Spare <= 1.7 - Cross Site Scripting (XSS) Vulnerability WordPress Spare theme <= 1.7 - Cross Site Scripting (XSS) Vulnerability
References

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00036}

 epss

{'score': 0.00039}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Spare allows Reflected XSS. This issue affects Spare: from n/a through 1.7.
Title WordPress Spare <= 1.7 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:10.768Z

Reserved: 2025-03-31T10:06:37.635Z

Link: CVE-2025-31638

cve-icon Vulnrichment

Updated: 2025-06-10T13:35:26.152Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:38.877

Modified: 2026-04-28T19:31:13.320

Link: CVE-2025-31638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:00:14Z

Weaknesses