Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows Stored XSS.This issue affects Enfold: from n/a through <= 7.1.2.
Published: 2025-11-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Enfold theme has a stored cross‑site scripting flaw that arises from improper neutralization of user input when generating web pages. The vulnerability allows an attacker to inject malicious scripts that persist in the website’s content and execute in the browsers of visitors. This can compromise confidentiality, integrity, or availability of the affected site, potentially leading to cookie theft, session hijacking, defacement, or distribution of malware.

Affected Systems

The flaw is present in all Kriesi Enfold theme versions from the earliest releases up through 7.1.2. WordPress sites that deploy this theme, regardless of the WordPress core version, are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while an EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not registered in the CISA KEV database. The likely attack vector requires an authenticated user or a user with input privileges within the theme, and the attacker can exploit the field that stores user‐supplied data in a way that is subsequently rendered without proper escaping.

Generated by OpenCVE AI on April 29, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Enfold theme to a version newer than 7.1.2.
  • If an upgrade is not immediately possible, disable or remove any theme features that accept unchecked user input, and validate or escape all content before it is stored or rendered.
  • Verify that any custom PHP functions or plugins that alter Enfold output properly sanitize and escape data before it reaches the browser.

Generated by OpenCVE AI on April 29, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Kriesi
Kriesi enfold
Wordpress
Wordpress wordpress
Vendors & Products Kriesi
Kriesi enfold
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows Stored XSS.This issue affects Enfold: from n/a through <= 7.1.2.
Title WordPress Enfold theme <= 7.1.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Kriesi Enfold
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:05:59.849Z

Reserved: 2025-11-21T11:20:39.724Z

Link: CVE-2025-66053

cve-icon Vulnrichment

Updated: 2025-11-21T14:25:45.235Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:46.033

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:45:11Z

Weaknesses