Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation. It allows an attacker to embed malicious script into an otherwise legitimate page, leading to reflected XSS. When a user visits a specially crafted URL or clicks a link, the script is executed in the victim’s browser. This can result in theft of session cookies, credential hijacking, defacement, or redirection to malicious sites. The weakness is classified as CWE‑79.

Affected Systems

Affected are WordPress sites that use the CleverSoft Anon theme version 2.2.10 or earlier. No other versions are affected. The flaw is present across all releases up to and including 2.2.10 of the theme. Site administrators that have installed this theme must confirm the running version and address accordingly.

Risk and Exploitability

The CVSS score of 7.1 indicates a high level of severity for an XSS flaw. However, the EPSS score is below 1%, showing that the exploitation is unlikely in the wild and the vulnerability is not currently part of any known attack campaigns. The flaw is not listed in the CISA KEV catalog. Generally, an attacker would need to lure a user to a crafted URL or exploit a link within a page; no authentication or privileged access is required. Because it is a reflected XSS, it does not provide remote code execution but can still be a gateway to more damaging attacks if the user’s session is hijacked.

Generated by OpenCVE AI on April 29, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Anon theme to the latest release (above 2.2.10) where the reflected XSS issue has been fixed.
  • If an update cannot be applied immediately, deactivate or uninstall the Anon theme to prevent exposure to the vulnerability.
  • Review all external links and template files to ensure they are not exposing user‑controlled input and apply input sanitization according to best practices.

Generated by OpenCVE AI on April 29, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10.
Title WordPress Anon theme <= 2.2.10 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:25:50.487Z

Reserved: 2025-12-09T16:46:41.863Z

Link: CVE-2025-67620

cve-icon Vulnrichment

Updated: 2026-01-29T01:05:07.300Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:02.210

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses