CVE-2025-60101

Vulnerability

Overview

The Woostify WordPress theme, versions 2.4.2 and earlier, contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables attackers with required privileges to inject arbitrary JavaScript code that persists on the server and executes in the browsers of site visitors [1].

Exploitation

Requirements

Exploitation requires a privileged user role with the ability to submit or modify content fields that are inadequately sanitized by the theme [1]. While the vulnerability can be initiated by such an attacker, successful execution demands an action from another privileged user — such as clicking a malicious link, submitting a form, or visiting a crafted page — to trigger the stored payload [1].

Impact and

Risk

An attacker exploiting this vulnerability can inject malicious scripts into the site, leading to potential redirects, unauthorized advertisements, or other HTML payloads that execute when visitors access the compromised pages [1]. This could compromise visitor data or tarnish site reputation, and such XSS flaws are commonly used in mass-exploit campaigns targeting WordPress sites regardless of their size [1].

Mitigation

The vendor has indicated that the Woostify theme is unlikely to receive further updates or patches, and simply deactivating the theme does not remove the security threat unless a mitigation rule (e.g., from Patchstack) is deployed [1]. The recommended action is to remove and replace the theme entirely [1].