Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected cross‑site scripting that can enable credential theft and site defacement
Action: Update now
AI Analysis

Impact

An improper neutralization of user‑supplied input in the Prestige theme creates a reflected cross‑site scripting flaw. The flaw allows an attacker to embed arbitrary JavaScript in pages served to victims, which can lead to cookie theft, credential compromise, or defacement. The weakness is a classic input‑validation issue classified as CWE‑79.

Affected Systems

WordPress users who have installed the Prestige theme—whether through the JThemes package or any installation method—are vulnerable if they are using any release prior to 1.4.1. No higher version is affected, and the vulnerability applies to every occurrence of the theme in sites using those older versions.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating a high impact if exploited. However, the EPSS score is less than 1 %, suggesting that exploitation is unlikely at this time, and the flaw has not been listed in CISA’s KEV catalog. Attackers would need to lure a victim’s browser to a crafted URL that reflects back unsanitized input, a scenario that can be mitigated by moving to a patched theme or by applying broader input filtering. In the absence of a publicly known exploit, the risk remains moderate, but the potential for credential theft warrants immediate action.

Generated by OpenCVE AI on April 27, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Prestige theme to version 1.4.1 or later
  • If an upgrade is not immediately feasible, temporarily disable the theme or switch to a different one until the patch is applied
  • Implement site‑wide Content Security Policy headers or use a security plugin that reinforces input sanitization to reduce the impact of potential XSS

Generated by OpenCVE AI on April 27, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Jthemes
Jthemes prestige
Wordpress
Wordpress wordpress
Vendors & Products Jthemes
Jthemes prestige
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1.
Title WordPress Prestige theme < 1.4.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Jthemes Prestige
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:53:18.731Z

Reserved: 2025-12-31T20:12:18.800Z

Link: CVE-2025-69330

cve-icon Vulnrichment

Updated: 2026-02-23T21:37:06.792Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:20.317

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses