CVE-2025-22678

The my white theme for WordPress versions up to 2.0.8 contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into web pages, which is then executed in the context of the victim's browser.

Exploitation requires user interaction: the attacker must trick a privileged user (e.g., an administrator) into clicking a malicious link or visiting a specially crafted page [1]. No authentication is needed to deliver the payload, but the target user must perform an action to trigger the attack. The vulnerability is classified as reflected XSS and does not require storing malicious code on the server.

Successful exploitation allows the attacker to execute arbitrary scripts, potentially leading to session hijacking, website defacement, redirection to malicious sites, or injection of ads and other HTML payloads [1]. The CVSS v3 base score is 7.1, indicating a high severity, and the vulnerability is expected to be used in mass-exploit campaigns.

As a mitigation, the theme should be updated to a patched version if available. The Patchstack advisory provides a mitigation rule to block attacks until an official fix is released [1]. Users are advised to update immediately or seek assistance from their hosting provider.