CVE-2025-66053

An Improper Neutralization of Input During Web Page Generation vulnerability, commonly known as Stored Cross-Site Scripting (XSS), exists in the Kriesi Enfold theme for WordPress. The issue affects all versions of the theme through 7.1.2 [1]. The root cause is insufficient sanitization of user-supplied input that is later rendered in web pages, allowing an attacker to store arbitrary HTML and JavaScript [1].

To exploit this vulnerability, an attacker must have a role capable of submitting input (e.g., author or editor). The attack requires user interaction — a privileged user must perform an action such as clicking a malicious link or visiting a crafted page [1]. Once the malicious script is stored, it executes automatically when other users or visitors view the affected page [1].

Successful exploitation could allow an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts would run in the context of a visitor's browser, potentially leading to data theft, session hijacking, or defacement [1]. The CVSS v3 score is 6.5 (Medium), indicating moderate impact [1].

The vulnerability is remediated in Enfold version 7.1.3. Users are strongly advised to update their theme to this version immediately [1]. For those unable to update, consulting a hosting provider or web developer is recommended. The vendor rates this issue as low severity; however, XSS vulnerabilities are commonly exploited in mass campaigns [1].