CVE-2025-31427

The Invico WordPress Consulting Business Theme is vulnerable to reflected cross-site scripting (XSS). This arises from improper neutralization of user-supplied input during web page generation [1]. Specifically, the theme fails to sanitize or escape input before including it in responses, making it possible for an attacker to inject arbitrary HTML and JavaScript code.

Exploitation requires user interaction; a privileged user must click a malicious link, visit a specially crafted page, or submit a form [1]. The attack surface is a reflected XSS vector, meaning the injected payload is immediately processed and reflected back by the server [1]. No authentication is needed beyond the target user being logged in and interacting with the crafted link.

Successful exploitation could allow an attacker to execute malicious scripts in the context of the victim's browser session [1]. This can be used to steal session cookies, redirect users to malicious sites, inject advertisements, or deface the site. The vulnerability affects all versions of the Invico theme up to and including version 1.9 [1].

As of the advisory, no official patch has been released by the theme vendor. Patchstack has issued a mitigation rule to block attacks until a fix is available [1]. Users are advised to apply the rule or contact their hosting provider for assistance [1].