Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in venusweb Logtik logtik allows Reflected XSS.This issue affects Logtik: from n/a through <= 2.3.
Published: 2025-12-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Logtik theme for WordPress contains an improper neutralization of input that allows reflected cross‑site scripting. An attacker can embed malicious JavaScript into a crafted URL or form field, which the theme then outputs without proper escaping. When a victim clicks the link or submits the input, the attacker’s code executes in the victim’s browser, enabling cookie theft, session hijacking, defacement, or redirection to malicious sites.

Affected Systems

This vulnerability affects the venusweb Logtik theme version 2.3 and all older releases. The issue is present in any WordPress installation that uses Logtik up to, but not including, the next available update beyond 2.3.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered medium‑high severity. The EPSS score of less than 1% indicates that active exploitation is currently rare, and the feature is not listed in CISA’s KEV catalog. The likely attack vector is a web‑based interaction that requires the user to open a crafted link or submit a form—generally requiring user engagement. If exploited, an attacker can run arbitrary scripts in the victim’s session and potentially compromise all data visible to that session.

Generated by OpenCVE AI on April 29, 2026 at 13:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Logtik theme to a version newer than 2.3 where the vulnerability is fixed.
  • If an upgrade is not immediately possible, sanitize all user‑supplied data before rendering it, using the WordPress wp_kses() function or a dedicated sanitization plugin.
  • Restrict theme usage and menu links to privileged administrators, preventing untrusted users from triggering the reflected XSS path.
  • Implement a strong content‑security‑policy header to mitigate the impact of any remaining or future XSS vectors.

Generated by OpenCVE AI on April 29, 2026 at 13:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in venusweb Logtik logtik allows Reflected XSS.This issue affects Logtik: from n/a through <= 2.3.
Title WordPress Logtik theme <= 2.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:38:09.653Z

Reserved: 2025-08-22T11:35:51.302Z

Link: CVE-2025-57897

cve-icon Vulnrichment

Updated: 2025-12-18T18:58:28.340Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:56.580

Modified: 2026-06-17T09:43:35.683

Link: CVE-2025-57897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')