Description
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Scripting vulnerability exists in all releases of the Fitness Zone WordPress Theme up to and including version 5.7. The flaw permits arbitrary JavaScript to be injected into the theme’s rendered page output, enabling the attacker to execute code within the context of any user who visits the affected page. This defect is identified as a Classic XSS (CWE-79).

Affected Systems

All WordPress sites that employ Designthemes Fitness Zone WordPress Theme version 5.7 or older are impacted; the vulnerability is independent of the WordPress core version or other plugins.

Risk and Exploitability

With a CVSS score of 7.1, the flaw is considered moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through unauthenticated access – a malicious payload can be embedded and delivered to any visitor who loads a page that uses the vulnerable theme output. Based on the description, it is inferred that any user visiting the compromised page may be exposed to the injected script.

Generated by OpenCVE AI on July 3, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fitness Zone WordPress Theme to a version newer than 5.7 or apply the vendor’s patch release.
  • If an immediate upgrade is not possible, temporarily disable the vulnerable theme or replace it with a more secure alternative.
  • Review the theme’s PHP templates for unsanitized user input and ensure proper output escaping to prevent future injection of malicious code.

Generated by OpenCVE AI on July 3, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.
Title WordPress Fitness Zone WordPress Theme theme <= 5.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T19:42:48.313Z

Reserved: 2025-12-29T11:19:54.137Z

Link: CVE-2025-69155

cve-icon Vulnrichment

Updated: 2026-07-02T19:42:43.807Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T10:30:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')