Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme WeMusic noo-wemusic allows Reflected XSS.This issue affects WeMusic: from n/a through <= 1.9.1.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WeMusic theme contains an improper neutralization of input during web page generation that allows attackers to inject malicious JavaScript through user‑supplied data, leading to a reflected cross‑site scripting (XSS) vulnerability (CWE‑79). This flaw enables attackers to execute arbitrary scripts in the context of a victim’s browser, which can be used for phishing, cookie theft, or defacement. The vulnerability is triggered by referrable user data and results in a loss of confidentiality and integrity for any authenticated or unauthenticated user who views the affected page.

Affected Systems

The critical component is the NooTheme WeMusic WordPress theme. All releases through version 1.9.1 are affected. Users running these versions should review their WordPress installations for the presence of the WeMusic theme.

Risk and Exploitability

The CVSS score of 7.1 classifies this issue as high severity, and the EPSS score of less than 1% indicates a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploit requires a web request containing the malicious payload – typically an attacker can craft a link and trick a victim into visiting it, which triggers execution of the injected script.

Generated by OpenCVE AI on April 30, 2026 at 05:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WeMusic theme to the latest version that removes the XSS vulnerability.
  • If upgrading immediately is not possible, deactivate or uninstall the WeMusic theme to eliminate the attack surface.
  • Configure a web application firewall to block or sanitize requests containing suspicious JavaScript payloads to provide temporary protection.

Generated by OpenCVE AI on April 30, 2026 at 05:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 07 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme WeMusic noo-wemusic allows Reflected XSS.This issue affects WeMusic: from n/a through <= 1.9.1.
Title WordPress WeMusic theme <= 1.9.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:26.988Z

Reserved: 2025-07-03T14:51:13.582Z

Link: CVE-2025-53585

cve-icon Vulnrichment

Updated: 2025-11-07T19:41:01.038Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:57.227

Modified: 2026-04-27T18:16:22.637

Link: CVE-2025-53585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')