Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an instance of improper neutralization of input during web page generation, classified as CWE‑79. It allows an attacker to inject malicious JavaScript that is reflected back to the user’s browser when a crafted URL or input is processed. The effect is that a victim who opens the malicious link will have the script executed in their browser context, enabling an attacker to hijack sessions, steal credentials, or deface the site.

Affected Systems

The affected product is the WordPress plugin Homey Core from favethemes. All installations running version 2.4.3 or earlier are impacted; the issue originates with the plugin’s handling of user‑supplied input in the file rendering logic.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑to‑medium risk severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the reflected XSS by directing a victim to a specially crafted URL or by submitting malicious input that the plugin mistakenly renders without proper sanitization. The simplicity of the attack vector (any user who visits the URL) means that defenses should focus on patching and sanitization rather than relying on defensive perimeter controls alone.

Generated by OpenCVE AI on April 27, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Homey Core to the latest available version, which contains the input validation fix.
  • If upgrading immediately is not feasible, block or sanitize the specific user‑supplied fields that trigger the reflection, or temporarily disable the affected functionality in active installations.
  • Implement a Content‑Security‑Policy that disallows inline scripting to reduce the impact while the patch remains pending.

Generated by OpenCVE AI on April 27, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Favethemes
Favethemes homey
Wordpress
Wordpress wordpress
Vendors & Products Favethemes
Favethemes homey
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3.
Title WordPress Homey Core plugin <= 2.4.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Favethemes Homey
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:29:46.952Z

Reserved: 2025-12-15T10:00:23.852Z

Link: CVE-2025-67964

cve-icon Vulnrichment

Updated: 2026-01-28T23:58:30.239Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:05.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses