CVE-2025-55713

Vulnerability

CVE-2025-55713 is a stored Cross-Site Scripting (XSS) vulnerability in the Blocksy WordPress theme by creativethemeshq. The flaw arises from improper neutralization of user-supplied input during web page generation [1]. This allows an authenticated attacker with elevated privileges (such as a shop manager or administrator) to inject arbitrary HTML or JavaScript code that is stored on the server and later executed when other users, including visitors, access the affected page.

Exploitation

Exploitation requires an authenticated user with the necessary permissions to save content (e.g., theme options, widgets, or posts) that is processed by the vulnerable theme code. The attacker then injects a malicious payload, such as a script tag, which the theme fails to sanitize or escape [1]. No direct user interaction (e.g., clicking a link) is needed for the stored payload to execute; simply visiting the compromised page triggers the script in the victim's browser.

Impact

A successful attack could allow the attacker to perform actions such as redirecting visitors to malicious sites, displaying advertisements, stealing session cookies, or defacing the website. While the CVSS score of 5.9 (Medium) indicates a relatively lower severity, the vulnerability may be targeted in automated mass-exploit campaigns against numerous WordPress sites [1].

Mitigation

The vendor has released version 2.1.7, which resolves the issue by properly sanitizing or escaping the vulnerable input fields. Users are strongly advised to update the Blocksy theme to version 2.1.7 or later [1]. If an immediate update is not possible, it is recommended to limit the number of privileged users and review all custom content for potential malicious code.