Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content theme-junkie-team-content allows DOM-Based XSS.This issue affects Theme Junkie Team Content: from n/a through <= 0.1.1.
Published: 2025-06-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Theme Junkie Team Content plugin contains an improper neutralization of input during web page generation, leading to a DOM‑based cross‑site scripting vulnerability. This flaw permits an attacker to inject arbitrary JavaScript that executes in the victim’s browser when the plugin’s content is rendered.

Affected Systems

WordPress sites that have the Theme Junkie Team Content plugin installed in version 0.1.1 or earlier. The plugin is distributed by the vendor Theme Junkie under the product name Theme Junkie Team Content.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, and the EPSS score of less than 1 % shows a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could supply crafted input that is reflected in the plugin’s output, which a victim must view in their browser for the script to run. Therefore the attack vector requires user interaction or content injection through the plugin’s interface, and while the likelihood of exploitation is currently low, the risk remains moderate due to the potential impact of client‑side code execution.

Generated by OpenCVE AI on May 1, 2026 at 07:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Theme Junkie Team Content to the latest version that eliminates the XSS flaw.
  • If an upgrade cannot be performed immediately, sanitize all user‑supplied data before rendering by the plugin and escape output as needed.
  • Restrict administrative access to the plugin and monitor for anomalous content that might indicate exploitation.

Generated by OpenCVE AI on May 1, 2026 at 07:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19366 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content allows DOM-Based XSS. This issue affects Theme Junkie Team Content: from n/a through 0.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content allows DOM-Based XSS. This issue affects Theme Junkie Team Content: from n/a through 0.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content theme-junkie-team-content allows DOM-Based XSS.This issue affects Theme Junkie Team Content: from n/a through <= 0.1.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content allows DOM-Based XSS. This issue affects Theme Junkie Team Content: from n/a through 0.1.1.
Title WordPress Theme Junkie Team Content plugin <= 0.1.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:23.508Z

Reserved: 2025-06-27T11:58:59.925Z

Link: CVE-2025-53301

cve-icon Vulnrichment

Updated: 2025-06-27T13:46:43.717Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:52.073

Modified: 2026-04-23T15:32:27.223

Link: CVE-2025-53301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:15:11Z

Weaknesses