CVE-2025-39365

Vulnerability

Overview

CVE-2025-39365 is a reflected cross-site scripting (XSS) vulnerability in the Rocket Apps wProject WordPress theme, affecting versions before 5.8.0. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into a response [1].

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious link or URL containing the XSS payload and trick a privileged user (e.g., an administrator) into clicking it. Successful exploitation requires user interaction, such as clicking a link or visiting a specially crafted page. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

If exploited, an attacker can execute arbitrary scripts in the context of the victim's browser. This could lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads. The CVSS v3 score is 7.1 (High), reflecting the potential for significant harm despite the need for user interaction [1].

Mitigation

The vulnerability is resolved in version 5.8.0 of the wProject theme. Users are strongly advised to update immediately. If updating is not possible, Patchstack offers a mitigation rule to block attacks until the update can be applied [1].