CVE-2025-22789

A reflected cross-site scripting (XSS) vulnerability exists in the WordPress polka dots theme through version 1.2 due to improper neutralization of input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the response.

The attack vector is reflected XSS, meaning the malicious payload is embedded in a crafted URL or form submission. Exploitation requires a privileged user (such as an admin) to click a malicious link or visit a specially crafted page, leading to script execution in their browser [1]. No authentication is needed for the attacker to prepare the payload, but user interaction is essential for successful exploitation.

Successful exploitation could allow an attacker to inject malicious scripts that perform actions like redirects, displaying advertisements, or stealing sensitive information when visitors access the affected site. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns [1].

As of the publication date, no official patch has been released. However, Patchstack has provided a mitigation rule to block attacks until an update becomes available. Users are advised to update the theme when a patched version is released or apply the mitigation rule from Patchstack [1].