Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sparklewpthemes Spark Multipurpose spark-multipurpose allows DOM-Based XSS.This issue affects Spark Multipurpose: from n/a through <= 1.0.7.
Published: 2025-06-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by improper neutralization of user input during web page generation, resulting in a DOM‑based cross‑site scripting flaw. An attacker can inject malicious scripts into the theme’s front‑end pages, which are then executed in the browsers of unsuspecting visitors. The attack could allow defacement, credential theft, or delivery of further malware by hijacking user sessions.

Affected Systems

The flaw is present in the WordPress theme Spark Multipurpose, version 1.0.7 and older, developed by sparklewpthemes. All installations of the theme at or below 1.0.7 are affected; newer releases are not mentioned as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of <1% suggests a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to view a web page that includes the vulnerable output, so the attack surface is limited to the theme's front‑end. Immediate patching is the most effective mitigation.

Generated by OpenCVE AI on April 30, 2026 at 10:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spark Multipurpose to the latest version (≥ 1.0.8) as soon as possible.
  • If the theme cannot be updated, remove or deactivate it until a fix is available.
  • Apply stricter sanitization or escaping to any theme fields that accept input, or use a plugin that enforces content security.
  • Add a Content Security Policy header to reduce the impact of any retained scripts.

Generated by OpenCVE AI on April 30, 2026 at 10:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28357 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sparkle Themes Spark Multipurpose allows DOM-Based XSS. This issue affects Spark Multipurpose: from n/a through 1.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sparkle Themes Spark Multipurpose allows DOM-Based XSS. This issue affects Spark Multipurpose: from n/a through 1.0.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sparklewpthemes Spark Multipurpose spark-multipurpose allows DOM-Based XSS.This issue affects Spark Multipurpose: from n/a through <= 1.0.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 23 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sparkle Themes Spark Multipurpose allows DOM-Based XSS. This issue affects Spark Multipurpose: from n/a through 1.0.7.
Title WordPress Spark Multipurpose theme <= 1.0.7 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:16.517Z

Reserved: 2025-06-11T16:08:32.805Z

Link: CVE-2025-50030

cve-icon Vulnrichment

Updated: 2025-06-23T16:11:32.370Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:29.197

Modified: 2026-04-23T15:32:00.710

Link: CVE-2025-50030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')