Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler traveler allows Reflected XSS.This issue affects Traveler: from n/a through < 3.2.3.
Published: 2025-09-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in the shinetheme Traveler WordPress theme allows reflected XSS, enabling an attacker to inject and execute arbitrary JavaScript in a victim’s browser. This can lead to session hijacking, defacement, or the execution of malicious payloads within the user’s context. The weakness corresponds to CWE‑79.

Affected Systems

The vulnerability is present in the shinetheme Traveler theme from its inception up to, but not including, version 3.2.3. All deployments of the shinetheme Traveler theme falling in that range are affected, regardless of WordPress core version.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the flaw is not listed in CISA’s KEV catalog, meaning no confirmed exploitation has been observed. Based on the description, the likely attack vector is inferred to involve any user‑supplied input rendered by the theme, such as URL query parameters or form fields, which attackers could manipulate to deliver malicious scripts.

Generated by OpenCVE AI on April 30, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the shinetheme Traveler theme to version 3.2.3 or newer to eliminate the reflected XSS flaw.
  • If an upgrade is not immediately possible, ensure that all user‑supplied data displayed by the shinetheme Traveler theme is escaped using WordPress sanitization functions such as esc_html() or wp_kses() before rendering.
  • Regularly check the shinetheme Traveler theme’s update feed and apply any new security patches as they become available.

Generated by OpenCVE AI on April 30, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31317 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler allows Reflected XSS. This issue affects Traveler: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler allows Reflected XSS. This issue affects Traveler: from n/a through n/a. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler traveler allows Reflected XSS.This issue affects Traveler: from n/a through < 3.2.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler allows Reflected XSS. This issue affects Traveler: from n/a through n/a.
Title WordPress Traveler theme < 3.2.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T01:04:56.111Z

Reserved: 2025-09-06T04:45:39.391Z

Link: CVE-2025-59012

cve-icon Vulnrichment

Updated: 2025-09-29T16:39:22.494Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:33.690

Modified: 2026-06-17T09:45:25.900

Link: CVE-2025-59012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')