CVE-2025-54724

Vulnerability

Description CVE-2025-54724 is a reflected cross-site scripting (XSS) vulnerability in the Golo WordPress theme, affecting versions up to and including 1.7.1. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into pages.

Exploitation

An attacker can craft a malicious link containing the XSS payload and trick a privileged user (e.g., an administrator) into clicking it. Successful exploitation does not require authentication but depends on user interaction, such as clicking a link or submitting a form. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites.

Impact

If exploited, the attacker can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, website defacement, redirection to malicious sites, or injection of ads and other HTML payloads. This could compromise the integrity of the website and expose visitors to further attacks.

Mitigation

The vendor has released version 1.7.2 to fix the vulnerability. Users are strongly advised to update immediately. If updating is not possible, deploying a virtual patching rule (e.g., from Patchstack) can block attacks until the update is applied [1].