Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core designthemes-core allows DOM-Based XSS.This issue affects DesignThemes Core: from n/a through <= 1.6.
Published: 2025-12-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input neutralization during web page generation, enabling an attacker to inject malicious scripts into pages rendered by the DesignThemes Core plugin. This defect can lead to execution of arbitrary JavaScript in the context of a victim’s browser, potentially compromising session cookies, defacing content, or phishing users. The weakness is classified as CWE‑79 and is limited to user‑controlled content within the plugin’s output.

Affected Systems

WordPress sites running the DesignThemes Core plugin version 1.6 or earlier are affected. The plugin is distributed by the vendor DesignThemes under the product name DesignThemes Core.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity. The EPSS score is below 1%, indicating a low probability of exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to visit a page that renders unsanitized, attacker‑controlled data, implying that the attack vector is web‑based and that the attacker can leverage the site’s existing content to deliver malicious payloads.

Generated by OpenCVE AI on April 29, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DesignThemes Core to a version newer than 1.6. This removes the identified input handling flaw and neutralizes the XSS vector.
  • Ensure all data entered by users or third‑party sources is properly sanitized and escaped before rendering it in any page context. Utilize WordPress’s built‑in functions such as wp_kses() or esc_html() where appropriate.
  • If an upgrade is temporarily unavailable, disable the affected components of the plugin or restrict access to the pages that can contain user‑supplied content until a patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes core
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes core
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core designthemes-core allows DOM-Based XSS.This issue affects DesignThemes Core: from n/a through <= 1.6.
Title WordPress DesignThemes Core plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Designthemes Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.548Z

Reserved: 2025-12-29T11:17:52.921Z

Link: CVE-2025-68978

cve-icon Vulnrichment

Updated: 2025-12-30T16:03:40.778Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:56.380

Modified: 2026-04-27T19:16:38.827

Link: CVE-2025-68978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:15:14Z

Weaknesses