Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation in the Hostiko WordPress theme, enabling reflected cross‑site scripting. An attacker can embed malicious scripts in certain user‑controllable input that is rendered directly to the browser, potentially hijacking user sessions, defacing content, or executing further attacks in the victim’s context.

Affected Systems

All installations of the Hostiko theme for WordPress with a version prior to 94.3.6 are affected. This includes any website that has deployed Hostiko before the release of version 94.3.6, regardless of WordPress core version.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high impact potential, while the EPSS score of < 1% signals a low likelihood of exploitation in the near term. The vulnerability does not require authentication and can be triggered by manipulating reflected input, making it straightforward for an attacker to craft a malicious URL or form that activates the XSS payload. Although it is not listed in CISA's KEV catalog, the straightforward attack vector warrants prompt mitigation.

Generated by OpenCVE AI on April 27, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hostiko theme to version 94.3.6 or later, which applies the proper input sanitization fix.
  • If an immediate update is not feasible, disable or uninstall the theme to eliminate the exposed code path.
  • Implement a web application firewall or content‑security‑policy headers to block reflected XSS attempts until the theme can be updated.

Generated by OpenCVE AI on April 27, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6.
Title WordPress Hostiko theme < 94.3.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:28:10.753Z

Reserved: 2025-12-15T10:00:16.552Z

Link: CVE-2025-67949

cve-icon Vulnrichment

Updated: 2026-01-29T01:03:09.245Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:04.533

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses