CVE-2025-62991

Root

Cause The Minamaze theme, versions from n/a through 1.10.1, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This CWE-79 weakness means theme does not properly sanitize or escape input before rendering it in pages.

Attack

Vector A user with low-level privileges (e.g., a subscriber or contributor role) can inject malicious JavaScript code into fields processed by the theme. The injected payload is then stored on the server and executed when any visitor or administrator views the affected page. The attack requires user interaction from a privileged user, such as clicking a crafted link or submitting a form, to trigger the stored script [1].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser. This can be used to steal session cookies, redirect users to malicious sites, display advertisements, deface the website, or perform other actions that compromise the site's integrity and the privacy of its visitors [1].

Mitigation

Site owners should update the Minamaze theme to version 1.10.2 or later. If an update is not possible, they should ask their hosting provider or web developer for assistance. This vulnerability has been publicly disclosed, and given its nature, it may be targeted in mass-exploit campaigns [1].