CVE-2025-64204

Vulnerability

Analysis

The SmartMag theme for WordPress, versions up to and including 10.3.1, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This CVE-2025-64204 falls under the category of improper input handling that enables injection of arbitrary HTML and JavaScript into pages that are then served to other users.

Exploitation

The vulnerability requires an authenticated user with at least contributor-level privileges to inject the malicious payload [1]. While a privileged action (such as clicking a crafted link or visiting a prepared page) may be needed to initiate the stored XSS, the injected script persists in the theme's output. This means the attack does not require direct interaction from the site administrator once the payload is stored — it automatically triggers when visitors access the affected page.

Impact

Successful exploitation allows the attacker to inject arbitrary scripts into the website, leading to actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies [1]. The vulnerability thus poses a risk to site visitors and could be leveraged in mass-exploit campaigns targeting thousands of WordPress sites simultaneously.

Mitigation

The vendor has issued a fix in version 10.3.2 of the SmartMag theme [1]. Users are strongly advised to update immediately. If updating is not possible, consulting hosting providers or web developers for alternative mitigation is recommended. The vulnerability carries a CVSS v3 score of 6.5 (Medium) and is considered by the reporter to have low likelihood of exploitation, but the presence of stored XSS with minimal privileges makes patching a priority.