CVE-2025-15654

Vulnerability

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in the Fox-themes Prague plugin for WordPress. This vulnerability allows for Reflected XSS and affects versions of Prague from n/a through 2.2.8 [1].

Exploitation

Exploitation of this vulnerability requires user interaction, such as a privileged user clicking a malicious link, visiting a crafted page, or submitting a form [1]. The attacker needs to trick a privileged user into performing an action to initiate the attack.

Impact

Successful exploitation could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, into the website. These scripts would then be executed when visitors access the compromised site, potentially leading to various malicious actions [1].

Mitigation

Update the Fox-themes Prague plugin to version 2.2.9 or later to resolve this vulnerability [1]. If an immediate update is not possible, users are advised to seek assistance from their hosting provider or web developer. Patchstack has provided a mitigation rule to block attacks until a patched version is installed [1].