CVE-2025-68076
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Stockholm Core plugin for WordPress allows authenticated attackers to inject malicious scripts, affecting sites using versions up to 2.4.6.
The Stockholm Core plugin for WordPress versions up to 2.4.6 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows attackers to inject arbitrary HTML and JavaScript code that gets stored and executed when other users view the affected pages.
Exploitation requires a privileged user role, such as a contributor or higher, to submit crafted input that is not properly sanitized [1]. The attacker must have the ability to post or edit content, and the injected script will execute when any visitor accesses the compromised page. User interaction is not required from the victim beyond normal page viewing.
Successful exploitation enables an attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies [1]. This can lead to further compromise of the WordPress site and its users.
The vulnerability is patched in version 2.4.7 or later. Users are strongly advised to update the plugin immediately. If unable to update, consider restricting user roles or using a web application firewall as a temporary measure [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.