Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in creativethemeshq Blocksy blocksy allows Stored XSS.This issue affects Blocksy: from n/a through <= 2.1.6.
Published: 2025-08-14
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper neutralization of input during web page generation within the Blocksy theme, allowing attackers to store malicious scripts that execute when the page is rendered. A stored XSS can be used to hijack user sessions, deface content, or spread malware, impacting the confidentiality and integrity of users interacting with the affected site.

Affected Systems

The issue affects the Blocksy theme for WordPress, versions up to and including 2.1.6. Any installation of those versions without a patch is vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject malicious input into the theme’s processing flow, typically via a backend interface or content submission mechanism. Once injected, the script executes in the victim’s browser each time the affected page is loaded.

Generated by OpenCVE AI on April 30, 2026 at 03:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blocksy theme to a version newer than 2.1.6.
  • Remove or disable any custom code that bypasses the theme’s input sanitization.
  • Configure a Content Security Policy to disallow inline scripts and restrict script sources.

Generated by OpenCVE AI on April 30, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24926 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeThemes Blocksy allows Stored XSS. This issue affects Blocksy: from n/a through 2.1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeThemes Blocksy allows Stored XSS. This issue affects Blocksy: from n/a through 2.1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in creativethemeshq Blocksy blocksy allows Stored XSS.This issue affects Blocksy: from n/a through <= 2.1.6.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 15 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Creativethemes
Creativethemes blocksy
Wordpress
Wordpress wordpress
Vendors & Products Creativethemes
Creativethemes blocksy
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeThemes Blocksy allows Stored XSS. This issue affects Blocksy: from n/a through 2.1.6.
Title WordPress Blocksy Theme <= 2.1.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Creativethemes Blocksy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.517Z

Reserved: 2025-08-14T09:10:30.443Z

Link: CVE-2025-55713

cve-icon Vulnrichment

Updated: 2025-08-14T19:36:33.397Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T19:15:44.103

Modified: 2026-04-23T15:32:56.647

Link: CVE-2025-55713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:30:27Z

Weaknesses