Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting (Reflected XSS)
Action: Update Theme
AI Analysis

Impact

The vulnerability involves improper neutralization of user input during web page rendering, enabling reflected cross‑site scripting in the WorkScout WordPress theme. This flaw allows an attacker to inject malicious scripts through crafted requests, potentially executing within the victim’s browser, stealing credentials, or defacing content. The weakness is a classic input validation issue, identified as CWE‑79.

Affected Systems

Purethemes’ WorkScout theme versions from the earliest release through version 4.1.07 are affected. Any WordPress installation employing these theme releases is susceptible unless newer, unpatched releases are in use.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability represents a medium to high severity risk. The EPSS score is below 1 % and the flaw is not listed in CISA’s KEV catalog, indicating rare exploitation in the wild. The likely attack vector is a reflected XSS, triggered via user‑controllable query parameters or form fields rendered by the theme. Exploitation requires only a crafted URL or form payload; no privileged access is needed.

Generated by OpenCVE AI on April 27, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WorkScout theme to the latest version that addresses the XSS flaw
  • If upgrading is not immediately possible, modify the theme’s output logic to properly escape all user‑controlled data before rendering it to the page
  • Implement a strong Content Security Policy that restricts executable scripts to trusted origins

Generated by OpenCVE AI on April 27, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Purethemes
Purethemes workscout
Wordpress
Wordpress wordpress
Vendors & Products Purethemes
Purethemes workscout
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07.
Title WordPress WorkScout theme <= 4.1.07 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Purethemes Workscout
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:29:07.180Z

Reserved: 2025-12-15T10:00:23.850Z

Link: CVE-2025-67959

cve-icon Vulnrichment

Updated: 2026-01-29T00:59:34.363Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:05.513

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses