Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes SOHO - Photography WordPress Theme soho allows DOM-Based XSS.This issue affects SOHO - Photography WordPress Theme: from n/a through <= 3.0.3.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: DOM-based Cross Site Scripting
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows attackers to execute arbitrary JavaScript in the context of a website visitor who loads a page containing the vulnerable theme. The flaw arises from improper neutralization of input during web page generation, as defined by CWE-79. Successful exploitation could lead to session hijacking, credential theft, malware delivery, or defacement of the site by a malicious user with no special privileges.

Affected Systems

The GT3themes SOHO - Photography WordPress Theme is affected in all releases from the earliest published version up to and including 3.0.3. Users running WordPress with any of these theme versions are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 reflects a moderately high risk, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: a malicious actor can deliver a crafted link or embed that, when a site visitor’s browser renders the affected page, executes arbitrary JavaScript in the visitor’s context. Because the flaw is DOM‑based, the attack requires the victim to view the vulnerable page in a modern browser.

Generated by OpenCVE AI on April 28, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SOHO - Photography WordPress Theme to the latest available release (≥3.0.4).
  • If an update is not feasible immediately, replace the theme with a trusted, up‑to‑date alternative and remove any files that may contain the vulnerable code.
  • Configure a Content Security Policy that disallows inline scripts to reduce the impact of accidental XSS payloads.

Generated by OpenCVE AI on April 28, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Gt3themes
Gt3themes soho - Photography Wordpress Theme
Wordpress
Wordpress wordpress
Vendors & Products Gt3themes
Gt3themes soho - Photography Wordpress Theme
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes SOHO - Photography WordPress Theme soho allows DOM-Based XSS.This issue affects SOHO - Photography WordPress Theme: from n/a through <= 3.0.3.
Title WordPress SOHO - Photography WordPress Theme theme <= 3.0.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Gt3themes Soho - Photography Wordpress Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:55:48.498Z

Reserved: 2025-12-31T20:12:41.876Z

Link: CVE-2025-69368

cve-icon Vulnrichment

Updated: 2026-02-23T21:37:03.696Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:21.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T17:45:16Z

Weaknesses