Description
The WS Theme Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ws_weather shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-23
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting
Action: Patch Now
AI Analysis

Impact

The WS Theme Addons plugin for WordPress allows stored cross‑site scripting through its_weather shortcode because user‑supplied attributes are not properly sanitized or escaped. An attacker who can authenticate with contributor access or higher can inject arbitrary JavaScript that will run when anyone views a page containing the malicious shortcode. This vulnerability is a classic input validation flaw (CWE-79) and can lead to data theft, credential compromise, or further site compromise.

Affected Systems

Vendors and products impacted are Wen Solutions’ WS Theme Addons plugin for WordPress, specifically all versions up to and including 2.0.0. No additional version details are provided in the advisory.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of < 1% suggests a low exploitation probability at the time of this assessment. The vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been widely observed in the wild. The likely attack vector is an authenticated contributor or higher user who can modify page content to insert a malicious shortcode. If exploitation succeeds, the attacker can execute scripts in the context of any user who views the affected content, potentially compromising account credentials and sensitive data.

Generated by OpenCVE AI on April 21, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WS Theme Addons to the latest available version if it is newer than 2.0.0.
  • If an upgrade is not possible, remove or disable the ws_weather shortcode from the site to eliminate the attack surface.
  • Limit contributor and above roles to only those users who truly require content editing privileges, and audit role assignments regularly.

Generated by OpenCVE AI on April 21, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25820 The WS Theme Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ws_weather shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 26 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 23 Aug 2025 04:30:00 +0000

Type Values Removed Values Added
Description The WS Theme Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ws_weather shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WS Theme Addons <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via ws_weather Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:17.677Z

Reserved: 2025-07-22T20:53:46.498Z

Link: CVE-2025-8062

cve-icon Vulnrichment

Updated: 2025-08-25T17:24:19.220Z

cve-icon NVD

Status : Deferred

Published: 2025-08-23T05:15:33.647

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses