Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelooks mFolio Lite mfolio-lite allows DOM-Based XSS.This issue affects mFolio Lite: from n/a through <= 1.2.3.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation (DOM‑Based XSS) allows an attacker to inject arbitrary JavaScript into a victim’s browser context when the mfolio‑lite plugin processes user‑supplied data. The CVE description does not specify particular outcomes, but execution of client‑side code can potentially lead to unauthorized actions performed within the victim’s browser.

Affected Systems

The WordPress plugin mfolio‑lite from ThemerLooks, versions 1.2.3 and earlier, is affected.

Risk and Exploitability

The CVSS score is 6.5, indicating medium severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV. Exploitation can occur remotely by delivering a crafted URL or content that the plugin fails to sanitize. Because it is DOM‑based XSS, no server‑side code execution is required; an attacker simply needs a victim to view a page that incorporates the plugin.

Generated by OpenCVE AI on May 1, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress plugin mfolio‑lite to the latest version that includes the fix, or remove it if no patch is available
  • Keep WordPress core, themes, and other plugins updated with the latest security releases
  • Implement proper output escaping or sanitization for any user‑generated content before it is rendered by the plugin, following best practices for mitigating CWE‑79 vulnerabilities

Generated by OpenCVE AI on May 1, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9185 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelooks mFolio Lite allows DOM-Based XSS. This issue affects mFolio Lite: from n/a through 1.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelooks mFolio Lite allows DOM-Based XSS. This issue affects mFolio Lite: from n/a through 1.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelooks mFolio Lite mfolio-lite allows DOM-Based XSS.This issue affects mFolio Lite: from n/a through <= 1.2.3.
Title WordPress mFolio Lite plugin <= 1.2.2 - Cross Site Scripting (XSS) vulnerability WordPress mFolio Lite plugin <= 1.2.3 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelooks mFolio Lite allows DOM-Based XSS. This issue affects mFolio Lite: from n/a through 1.2.2.
Title WordPress mFolio Lite plugin <= 1.2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Themelooks Mfolio Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.278Z

Reserved: 2025-04-01T13:20:50.880Z

Link: CVE-2025-31847

cve-icon Vulnrichment

Updated: 2025-04-01T16:03:09.410Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:25.633

Modified: 2026-04-23T15:28:24.643

Link: CVE-2025-31847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:45:16Z

Weaknesses