Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6.
Published: 2025-12-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw arising from improper neutralization of user input within the WordPress Stockholm Core plugin through version 2.4.6. Attackers can inject malicious JavaScript that persists in plugin‑generated content and is later delivered to any site visitor, allowing potential cookie theft, defacement, or other client‑side attacks. The weakness aligns with CWE‑79 – Improper Neutralization of Input.

Affected Systems

The affected product is the Select‑Themes Stockholm Core plugin for WordPress. All releases up to and including version 2.4.6 are vulnerable; any site deploying a version from the earliest release through 2.4.6 without upgrading remains at risk.

Risk and Exploitability

The CVSS score of 6.5 denotes moderate severity, while the EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector involves submitting malicious content through the plugin’s input interface, which the plugin stores and later outputs without proper sanitization. Once injected, the payload executes in the browsers of any user who views the affected page, potentially affecting all site visitors.

Generated by OpenCVE AI on April 28, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Stockholm Core to any release newer than 2.4.6.
  • If an upgrade is not immediately possible, remove or disable the plugin to block the vulnerable content paths.
  • Configure a web application firewall or implement input sanitization rules to prevent malicious JavaScript from being stored or rendered by the plugin.

Generated by OpenCVE AI on April 28, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes stockholm Core
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes stockholm Core
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6.
Title WordPress Stockholm Core plugin <= 2.4.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Select-themes Stockholm Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:58:12.699Z

Reserved: 2025-12-15T10:01:24.073Z

Link: CVE-2025-68076

cve-icon Vulnrichment

Updated: 2025-12-16T15:08:33.857Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:02.543

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:45:15Z

Weaknesses