CVE-2025-23983

Vulnerability

The Tijaji WordPress theme, in versions 1.43 and earlier, contains a reflected cross-site scripting (XSS) vulnerability. This arises from improper neutralization of user-supplied input during page generation [1]. The theme fails to sanitize or escape certain parameters, allowing arbitrary HTML and JavaScript to be injected.

Exploitation

An attacker can craft a malicious URL containing a payload. The vulnerability requires no special privileges to initiate, but successful exploitation depends on a privileged user (e.g., an administrator) clicking the crafted link, visiting a prepared page, or submitting a form. This user interaction is necessary for the attack to execute [1].

Impact

If exploited, the attacker can inject arbitrary scripts, redirects, advertisements, or other HTML payloads into the website. These scripts execute in the context of the victim's browser when they visit the site, potentially leading to credential theft, session hijacking, or defacement [1].

Mitigation

The theme has not received updates in over a year and is unlikely to be patched. The vendor recommends removing and replacing the theme entirely. Deactivating the theme does not remove the security threat. Patchstack offers a mitigation rule to block attacks until a permanent fix can be applied [1].