CVE-2025-54721

The Resca theme, developed by ThimPress, is vulnerable to a reflected Cross-Site Scripting (XSS) attack due to improper neutralization of user input during web page generation. This vulnerability affects all versions from n/a through 3.0.2. The issue is classified as a high-severity flaw with a CVSS v3 score of 7.1 [1].

Exploitation requires user interaction, typically in the form of clicking a crafted link or visiting a malicious page. The attack can be initiated by an unauthenticated attacker, but successful execution relies on a privileged user performing an action, such as clicking a link or submitting a form. This makes the vulnerability suitable for mass exploitation campaigns targeting multiple websites [1].

An attacker exploiting this vulnerability can inject arbitrary scripts or HTML payloads into the victim's browser. This could lead to redirects, displaying unwanted advertisements, stealing sensitive session tokens, or other malicious actions that compromise the integrity of the website and the security of its visitors [1].

The vulnerability has been addressed in version 3.0.3 of the Resca theme. Users are strongly advised to update to this patched version immediately. If immediate updating is not possible, hosting providers or developers should be consulted for mitigation. Patchstack also provides a mitigation rule to block attacks until the update is applied [1].