Description
Unauthenticated Cross Site Scripting (XSS) in Avante < 3.0.5 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated reflected Cross Site Scripting flaw exists in WordPress Avante theme versions prior to 3.0.5. The flaw is caused by input parameters that are incorporated into page output without proper sanitization. Based on the description, it is inferred that an attacker could inject arbitrary JavaScript that is executed in the victim’s browser when the URL is visited. This type of weakness corresponds to CWE‑79. The CVSS score of 7.1 indicates high severity, meaning the flaw can potentially compromise confidentiality or integrity of the user session.

Affected Systems

Sites running ThemeGoods Avante theme older than 3.0.5 are affected. The vulnerability is independent of the WordPress core version and applies to any environment that uses the unpatched theme. No other themes or plugins are specified as impacted.

Risk and Exploitability

The CVSS score of 7.1 classifies the flaw as high. The EPSS score is not available, so the current likelihood of exploitation remains uncertain. The flaw is not listed in any KEV catalog. The likely attack vector is a remote unauthenticated user delivering a crafted link that includes malicious query parameters; the victim must simply click the link to trigger the reflected script. Because the exploit requires only a single URL, the difficulty is low, making the potential for exploitation moderate to high if an attacker is motivated.

Generated by OpenCVE AI on June 18, 2026 at 13:56 UTC.

Remediation

Vendor Solution

Update the WordPress Avante | Business Consulting WordPress Theme to the latest available version (at least 3.0.5).


OpenCVE Recommended Actions

  • Update the Avante theme to version 3.0.5 or later, which removes the reflected XSS flaw.
  • If an immediate update cannot be applied, deactivate or uninstall the Avante theme to eliminate the vulnerable code.
  • Deploy a content security policy or a web application firewall that blocks reflected XSS payloads until the patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods avante
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods avante
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Avante < 3.0.5 versions.
Title WordPress Avante theme < 3.0.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Themegoods Avante
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:34:36.259Z

Reserved: 2025-12-19T10:17:03.705Z

Link: CVE-2025-68524

cve-icon Vulnrichment

Updated: 2026-06-17T14:34:21.652Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:21Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')