Description
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw that allows an attacker to inject arbitrary JavaScript into a visitor’s browser when the SpaLab theme is used. The weakness is a classic input‑validation error identified as CWE‑79.

Affected Systems

The flaw affects installations of the Designthemes SpaLab Beauty Salon WordPress Theme with versions 6.7 and earlier. Any WordPress site deploying this theme without an upgrade is susceptible, regardless of the underlying WordPress core version.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability. EPSS is not available, but because the flaw is client‑side and does not require authentication, it can be exploited simply by an attacker directing a user to the affected site or creating a malicious link. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation reports.

Generated by OpenCVE AI on July 2, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SpaLab theme to a version newer than 6.7, which contains the patch for the XSS flaw.
  • If an update is not immediately available, disable or replace the vulnerable theme to prevent user exposure.
  • Implement a Content Security Policy or other output‑encoding measures to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on July 2, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
Title WordPress SpaLab | Beauty Salon WordPress Theme theme <= 6.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:54:49.155Z

Reserved: 2025-12-29T11:19:54.137Z

Link: CVE-2025-69154

cve-icon Vulnrichment

Updated: 2026-07-02T14:54:44.223Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T18:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')