CVE-2025-32305

Vulnerability

Overview The FlatNews theme for WordPress, versions 5.8 and below, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This stems from insufficient validation or escaping of parameters that are reflected back to the user in HTTP responses, enabling script injection [1].

Exploitation

Details An attacker can exploit this flaw without authentication by crafting a malicious link or URL containing JavaScript payloads. Successful exploitation requires user interaction — the targeted victim must click the crafted link, visit a specially prepared page, or submit a manipulated form [1]. This makes the vulnerability suitable for broad social-engineering campaigns where attackers target multiple sites simultaneously, regardless of site popularity [1].

Impact

If successfully triggered, the injected script executes in the context of the victim's browser session on the affected WordPress site. This can allow the attacker to perform actions such as redirecting users to malicious sites, injecting unwanted advertisements, or extracting sensitive information displayed on the page [1]. The CVSS v3 base score is 7.1 (High), reflecting the moderate complexity and requirement for user interaction but significant potential impact on confidentiality and integrity [1].

Mitigation

Status Users are strongly advised to update the FlatNews theme to version 6.2 or later, which contains the fix for this vulnerability [1]. For immediate protection, Patchstack has issued a mitigation rule that blocks attacks until the update is applied [1]. Given that this vulnerability is expected to be used in mass-exploit campaigns, timely remediation is critical [1].