CVE-2025-68077

Vulnerability

Description CVE-2025-68077 is a stored Cross-Site Scripting (XSS) vulnerability in the Select-Themes Stockholm theme for WordPress, affecting versions from n/a through 9.14.1. The issue stems from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary JavaScript or HTML that gets stored and executed when visitors load affected pages.

Exploitation

Prerequisites Exploitation requires a user with elevated privileges (e.g., administrator) to perform an action, such as clicking a malicious link or submitting a crafted form. The attacker does not need direct network access to the server; instead, they can deliver the payload via social engineering or a phishing campaign. Once triggered, the injected script persists in the theme's data.

Impact

Successful exploitation enables an attacker to perform actions like redirecting visitors to malicious sites, displaying advertisements, stealing session cookies, or defacing the website. Because the XSS is stored, every user visiting the compromised page may be affected, amplifying the reach of an attack.

Mitigation

The vulnerability is fixed in version 9.14.2 or later. Users are strongly advised to update the Stockholm theme immediately. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].