CVE-2025-31037

The Homey WordPress theme (versions up to and including 2.4.5) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw allows attackers to inject arbitrary HTML and JavaScript into pages, which is then executed in the context of a victim's browser [1].

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially designed page. The vulnerability can be triggered without authentication, meaning any unauthenticated attacker can potentially target users of a site running the vulnerable theme. This makes it suitable for mass-exploit campaigns targeting thousands of websites [1].

Successful exploitation enables attackers to execute malicious scripts, resulting in actions such as redirecting users to malicious sites, displaying unwanted advertisements, or stealing sensitive information. The CVSS score of 7.1 reflects the moderate severity but high potential for automated attacks [1].

To mitigate this vulnerability, users should update the Homey theme to a patched version as soon as it becomes available. For immediate protection, Patchstack offers a virtual patching rule that blocks exploitation attempts until an official fix is applied [1].