CVE-2025-54718
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Reflected XSS.This issue affects Yogi - Health Beauty & Yoga: from n/a through <= 2.9.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Yogi theme ≤2.9.2 allows attackers to inject malicious scripts via crafted input.
Vulnerability
CVE-2025-54718 is a reflected cross-site scripting (XSS) vulnerability in the Yogi - Health Beauty & Yoga WordPress theme, affecting versions through 2.9.2. The issue arises due to improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the application's response [1].
Exploitation
This reflected XSS requires user interaction, such as clicking a crafted link or visiting a maliciously prepared page. Attackers can leverage this to inject payloads without needing authentication, making it suitable for mass exploitation campaigns targeting any site running the vulnerable theme [1].
Impact
Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to redirects, ads, or other HTML payloads, potentially compromising user sessions or delivering further attacks [1].
Mitigation
The vulnerability is resolved in version 2.9.3 of the theme. Affected users should update immediately. As a temporary measure, Patchstack provides a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.