CVE-2025-49274

Vulnerability Details: The Neom Blog theme suffers from improper neutralization of user input during web page generation, leading to a reflected XSS vulnerability [1]. This occurs because the theme fails to properly sanitize and escape input before including it in output, allowing an attacker to inject arbitrary HTML and JavaScript [1].

Exploitation: The vulnerability can be exploited without authentication. An attacker can craft a malicious link containing the XSS payload and trick a privileged user (e.g., administrator) into clicking it [1]. Successful exploitation requires user interaction, such as clicking the link or visiting a crafted page [1]. The CVSS v3 score is 7.1, indicating high severity [1].

Impact: If exploited, a threat actor can inject malicious scripts, redirect users to phishing sites, display advertisements, or perform other actions in the context of the victim's browser [1]. This could lead to site defacement, data theft, or further compromise of the WordPress installation.

Mitigation: The vulnerability is patched in version 0.1.0 and later; users are advised to update immediately [1]. If unable to update, a security plugin like Patchstack can provide a virtual patch to block attacks [1]. Due to the potential for mass exploitation, prompt action is recommended [1].