{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25373", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.301Z", "datePublished": "2026-03-25T16:14:46.162Z", "dateUpdated": "2026-03-25T20:13:20.246Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "vayvo-progression", "product": "Vayvo", "vendor": "ProgressionStudios", "versions": [{"changes": [{"at": "6.8", "status": "unaffected"}], "lessThanOrEqual": "< 6.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:25.936Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.<p>This issue affects Vayvo: from n/a through < 6.8.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a through < 6.8."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:46.162Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vayvo-progression/vulnerability/wordpress-vayvo-media-streaming-membership-wordpress-theme-theme-6-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Vayvo - Media Streaming & Membership WordPress Theme theme < 6.8 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25373", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:11:22.927542Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:13:20.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25373", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:11:22.927542Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:05:36.963Z"}}], "cna": {"title": "WordPress Vayvo - Media Streaming & Membership WordPress Theme theme < 6.8 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "ProgressionStudios", "product": "Vayvo", "versions": [{"status": "affected", "changes": [{"at": "6.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 6.8"}], "packageName": "vayvo-progression", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:25.936Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/vayvo-progression/vulnerability/wordpress-vayvo-media-streaming-membership-wordpress-theme-theme-6-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a through < 6.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.<p>This issue affects Vayvo: from n/a through < 6.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:46.162Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25373", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:13:20.246Z", "dateReserved": "2026-02-02T12:52:55.301Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:46.162Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a through < 6.8."}], "id": "CVE-2026-25373", "lastModified": "2026-03-25T21:16:36.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:47.833", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vayvo-progression/vulnerability/wordpress-vayvo-media-streaming-membership-wordpress-theme-theme-6-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:55:10.767731+00:00", "value": {"mitigation_remediation": ["Upgrade the Vayvo theme to version 6.8 or later", "If upgrading is not feasible, apply a temporary input sanitization layer or filter to strip out script tags from user inputs within the theme", "Monitor the site for anomalous JavaScript injection attempts and review server logs for suspicious query parameters", "Contact the theme vendor for additional guidance or future security updates"], "summary": {"action": "Patch Theme", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ProgressionStudios Vayvo theme for WordPress and applies to all released versions from the initial launch through any version earlier than 6.8. Sites that continue to use any Vayvo theme version prior to the 6.8 update are susceptible to exploitation.", "description_and_impact": "This vulnerability is a reflected XSS flaw caused by improper input neutralization within the Vayvo WordPress theme. The flaw allows an attacker to embed malicious scripts in user-supplied data that is subsequently reflected back into the web page, enabling the execution of arbitrary JavaScript in the visitor\u2019s browser. Such client\u2011side code can be used for session hijacking, web\u2011mail phishing or defacement, thereby compromising confidentiality and integrity of site participants.", "risk_and_exploitability": "Because the issue is a reflected XSS, attackers can exploit it via a crafted URL or a form input that the theme reflects back to the page. No public exploit is catalogued and the EPSS score is not available, indicating that exploitation is possible but the likelihood depends on the presence of a public exploit. The vulnerability is not listed in the KEV catalog, but its potential impact remains high due to the ability to run arbitrary client\u2011side code. Prompt remediation is strongly advised, as the flaw does not require special privileges to affect end users browsing the site."}}}}, "created": "2026-03-25T21:44:49.079958+00:00", "updated": "2026-03-25T21:44:49.079990+00:00", "vendors": []}