Description
Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Cross Site Scripting vulnerability exists in the WordPress Trendy Travel theme with versions 6.7 and earlier. This flaw allows an attacker to insert malicious scripts into web pages that are viewed by site visitors, potentially hijacking user sessions, extracting sensitive information, or delivering additional malware. The vulnerability stems from insufficient sanitization of user-supplied input within the theme’s templates, classified under CWE-79.

Affected Systems

DesignThemes’ Trendy Travel WordPress theme is affected for all releases through version 6.7. Users who have not upgraded beyond 6.7 are exposed to the flaw. The specific product is the “Trendy Travel” theme distributed via WordPress theme repositories.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. With no EPSS data available, the exploitation likelihood is uncertain, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely any unauthenticated user who can access the vulnerable page, making it remotely exploitable via crafted URLs or inputs. An attacker could exploit this to execute arbitrary client‑side code in the browser of any visitor who loads the compromised page.

Generated by OpenCVE AI on July 2, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Trendy Travel theme to the latest release (≥6.8) to apply the vendor fix.
  • If an upgrade cannot be performed immediately, replace or disable any affected theme templates that accept user input, ensuring all output is properly escaped.
  • Deploy a site‑wide Content Security Policy and strengthen input validation to mitigate XSS until the theme is fully updated.

Generated by OpenCVE AI on July 2, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
Title WordPress Trendy Travel theme <= 6.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:44:40.367Z

Reserved: 2025-12-29T11:19:48.753Z

Link: CVE-2025-69153

cve-icon Vulnrichment

Updated: 2026-07-02T14:44:35.565Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')