Description
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an unauthenticated cross‑site scripting (XSS) vulnerability that exists in the Artale | Wedding Photography WordPress theme up to version 2.2.2. An attacker can inject arbitrary JavaScript into the output of the theme, which is then executed in the browsers of visitors who view the affected pages. This can lead to malicious code execution, cookie theft, defacement, or the delivery of further malware. The weakness is identified as CWE‑79.

Affected Systems

The vulnerability affects the ThemeGoods Artale | Wedding Photography WordPress theme. All installations running version 2.2.2 or earlier are vulnerable. No newer fixed versions are listed in the available data.

Risk and Exploitability

The reported CVSS score of 7.1 indicates a high severity level but the EPSS score is not available, so the current probability of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood that a widely‑known exploit is already in circulation. An attacker can exploit the flaw without authentication, typically by sending a crafted payload to the vulnerable input on a public page or through a public form. Because the vector is remote and requires no special privileges, entities running affected versions should consider the risk high.

Generated by OpenCVE AI on July 3, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Artale theme release that patches the XSS flaw
  • If an upgrade is not immediately possible, remove or disable the theme component that accepts unsanitized user input, such as the comments or review widgets, or apply a custom sanitization filter
  • Implement a strict Content Security Policy that blocks inline scripts and restricts script execution to trusted sources

Generated by OpenCVE AI on July 3, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
Title WordPress Artale | Wedding Photography WordPress theme <= 2.2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:50:09.625Z

Reserved: 2025-12-29T11:19:48.753Z

Link: CVE-2025-69152

cve-icon Vulnrichment

Updated: 2026-07-02T12:50:05.572Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T07:00:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')