Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato cerato allows Reflected XSS.This issue affects Cerato: from n/a through <= 2.2.18.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an instance of improper neutralization of input during web page generation in the Zootemplate Cerato theme, classified as CWE‑79. Attackers can embed malicious JavaScript that is reflected back into the HTML response when a user visits a specially crafted URL. This reflected XSS allows arbitrary script execution in the victim’s browser. The CVE description does not detail further consequences; it is therefore inferred that the impact is limited to the user viewing the affected page.

Affected Systems

WordPress sites that use the Zootemplate Cerato theme version 2.2.18 or earlier are affected.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is moderate to high risk. The EPSS score is less than 1% indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is through a crafted URL that exploits the theme’s insufficient input sanitization; this would cause the reflected XSS payload to execute in the victim’s browser.

Generated by OpenCVE AI on April 29, 2026 at 00:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cerato theme to version 2.2.19 or later.
  • Implement a strict Content Security Policy that blocks inline scripts (e.g., 'script-src' directives without 'unsafe-inline').
  • Ensure that any user‑supplied query parameters are properly sanitized or removed from the output before rendering.

Generated by OpenCVE AI on April 29, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato cerato allows Reflected XSS.This issue affects Cerato: from n/a through <= 2.2.18.
References

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zootemplate
Zootemplate cerato
Vendors & Products Wordpress
Wordpress wordpress
Zootemplate
Zootemplate cerato

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18.
Title WordPress Cerato theme <= 2.2.18 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Zootemplate Cerato
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:49.426Z

Reserved: 2025-09-06T04:44:19.611Z

Link: CVE-2025-58920

cve-icon Vulnrichment

Updated: 2026-04-10T14:07:39.432Z

cve-icon NVD

Status : Deferred

Published: 2026-04-10T14:16:25.283

Modified: 2026-04-24T18:00:32.033

Link: CVE-2025-58920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:45:26Z

Weaknesses