Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Eduma eduma allows Stored XSS.This issue affects Eduma: from n/a through <= 5.7.6.
Published: 2025-10-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that results in stored XSS. Malicious input can be saved and later executed in other users' browsers, enabling code injection, phishing, or session hijack. The weakness corresponds to CWE‑79.

Affected Systems

The flaw exists in the ThimPress Eduma WordPress theme. All versions up to and including 5.7.6 are affected. No lower bound is provided, but the vulnerability applies to any installation using a version equal to or lower than 5.7.6.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is listed as <1%, implying a very low probability of exploitation in the near term. The vulnerability has not been recorded in the CISA KEV catalog. Attackers can target the theme via normal web interface, submitting crafted input that is stored and rendered to other visitors; the fix requires a theme upgrade. Without mitigation, an attacker who can inject content could execute arbitrary JavaScript in the context of any site visitor.

Generated by OpenCVE AI on April 29, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eduma theme to a version that addresses the XSS flaw.
  • Verify that user roles with content‑creation permissions are properly restricted, and consider disabling or limiting the use of the affected input fields in the theme.
  • If an upgrade is not immediately possible, block or sanitize the vulnerable input parameters by implementing a web‑application firewall rule that filters JavaScript payloads.

Generated by OpenCVE AI on April 29, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress eduma
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress eduma
Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Eduma eduma allows Stored XSS.This issue affects Eduma: from n/a through <= 5.7.6.
Title WordPress Eduma theme <= 5.7.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Thimpress Eduma
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:23:12.935Z

Reserved: 2025-10-29T03:06:57.131Z

Link: CVE-2025-64194

cve-icon Vulnrichment

Updated: 2025-10-29T13:40:55.702Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T09:15:38.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:30:19Z

Weaknesses