CVE-2025-49873

Vulnerability

Overview

The Elessi WordPress theme (versions up to and including 6.3.9) contains a reflected cross-site scripting (XSS) flaw due to improper neutralization of user-supplied input during web page generation [1]. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3 score of 7.1 (High).

Exploitation

Attackers can exploit this vulnerability by crafting a malicious link that, when clicked by a privileged user (such as a site administrator), injects arbitrary HTML and JavaScript into the generated page [1]. No authentication on the attacker's part is needed, but successful exploitation requires the target user to perform an action such as clicking a link, visiting a crafted page, or submitting a form. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity.

Impact

Successful exploitation allows an attacker to inject malicious scripts that can be executed when visitors access the affected website. This could lead to redirects, ad injections, theft of session cookies, or other HTML payloads that compromise the integrity and security of the site [1].

Mitigation

The vendor NasaTheme has released a patched version 6.4.1 to resolve the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update promptly, Patchstack provides a mitigation rule that can block attacks until the theme is updated [1]. No workarounds beyond updating or using a web application firewall are mentioned in the advisory.