Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Reflected XSS.This issue affects Yogi - Health Beauty & Yoga: from n/a through <= 2.9.2.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation (Cross‑Site Scripting) in the NooTheme Yogi – Health Beauty & Yoga WordPress theme. Reflected XSS is possible in versions up to and including 2.9.2 when untrusted input is not properly sanitized before being included in a page. The flaw allows the execution of arbitrary scripts in the context of a visitor’s browser, potentially exposing user data or affecting the rendered page.

Affected Systems

The NooTheme Yogi – Health Beauty & Yoga WordPress theme is affected in all versions up to and including 2.9.2. Hosts that use this theme on a WordPress installation are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a reflected XSS that exploits untrusted input without requiring authentication. An attacker would typically need to convince a victim to visit a crafted URL, leading to script execution in the victim’s browser. The low exploitation probability suggests limited real-world exploitation but the impact remains significant.

Generated by OpenCVE AI on April 29, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Yogi theme to a version newer than 2.9.2, ensuring the patch that neutralizes user input is applied.
  • If an upgrade cannot yet be performed, disable the Yogi theme or replace it with a trusted alternative until the vulnerability is resolved.
  • Review the theme’s templates and remove any output that echoes user input without proper sanitization; apply a generic WAF rule to filter script‑like payloads if possible.

Generated by OpenCVE AI on April 29, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Reflected XSS.This issue affects Yogi - Health Beauty & Yoga: from n/a through <= 2.9.2.
Title WordPress Yogi - Health Beauty & Yoga theme <= 2.9.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:45:00.924Z

Reserved: 2025-07-28T10:56:24.796Z

Link: CVE-2025-54718

cve-icon Vulnrichment

Updated: 2025-11-06T19:47:59.507Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:57.677

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-54718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:30:15Z

Weaknesses