CVE-2025-62036

The WordPress Togo theme, versions through 1.0.4 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation (CWE-79). This flaw resides in the theme’s input handling, allowing an authenticated user with subscriber-level or higher privileges to inject malicious HTML or JavaScript that gets stored and later executed in the context of an administrator’s session [1].

Exploitation requires user interaction: a privileged user (such as an admin) must visit a page containing the attacker’s payload—for example, by clicking a crafted link or loading a compromised dashboard view. The attacker does not need direct access to admin accounts but relies on social engineering to trigger the stored script. This makes the vulnerability particularly suitable for mass exploitation campaigns targeting multiple WordPress installations simultaneously [1].

Successful exploitation can lead to script injection resulting in actions such as redirecting visitors to malicious sites, injecting unwanted advertisements, or stealing session cookies and credentials. Because the payload executes in the browser of an authenticated admin, the attacker can effectively perform any action the admin can, including modifying site content, creating new administrator accounts, or installing further malicious plugins [1].

The vendor has released a patched version 1.0.4. Immediate update is strongly recommended; if updating is not possible, apply a virtual patch or mitigation rule from a security plugin such as Patchstack to block exploit attempts. As of the publication date, this vulnerability is considered moderately dangerous and expected to be actively exploited in the wild [1].