CVE-2025-67539
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Select Core select-core allows DOM-Based XSS.This issue affects Select Core: from n/a through < 2.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Select Core plugin for WordPress before version 2.6 contains a DOM-based Cross-Site Scripting (XSS) vulnerability that allows privileged users to inject malicious scripts.
Root
Cause
Improper neutralization of user input during web page generation in the Select Core plugin for WordPress allows DOM-based Cross-Site Scripting (XSS). This vulnerability resides in the select-core component and affects versions from n/a through < 2.6. [1]
Exploitation
Exploitation requires a privileged user to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. While the attacker must be authenticated with a certain role, successful exploitation depends on user interaction from a higher-privileged user. [1]
Impact
An attacker can inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute when other visitors or administrators access the affected site, leading to potential defacement, data theft, or further compromise. [1]
Mitigation
The vendor has released version 2.6 which resolves this issue. Users are advised to update to version 2.6 or later. Patchstack users can enable auto-update for vulnerable plugins. [1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.