CVE-2025-67618

Vulnerability

Description

The Brookside WordPress theme, versions from n/a through 1.4, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This is a classic Reflected XSS issue where the application fails to sanitize or escape input before including it in the response page [1].

Exploitation

Conditions

An attacker can exploit this vulnerability by crafting a malicious link or URL containing a script payload. The attack requires user interaction: the victim (a privileged user, such as an administrator) must click the crafted link or visit a specially crafted page. No direct authentication is needed to launch the attack vector, but the XSS payload only executes when a logged-in user acts on the attacker's link [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the victim's browser session within the context of the affected site. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other unwanted content. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vendor has not released a patch as of publication. A mitigation rule is available from Patchstack to block attacks. Users are advised to update the theme as soon as a patched version becomes available, or to contact their hosting provider for assistance. For immediate protection, applying a web application firewall rule or disabling the theme until patched is recommended [1].