CVE-2025-68978
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core designthemes-core allows DOM-Based XSS.This issue affects DesignThemes Core: from n/a through <= 1.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOM-Based XSS in DesignThemes Core plugin for WordPress (≤1.6) allows script injection via crafted URLs.
Vulnerability
Overview The DesignThemes Core plugin for WordPress, versions up to and including 1.6, is vulnerable to a DOM-based Cross-Site Scripting (XSS) attack. This stems from improper neutralization of user input during web page generation, enabling attackers to inject arbitrary JavaScript code that executes in the browser context.
Exploitation
Details Exploitation requires a privileged user (e.g., admin) to interact with a crafted link or form. The attack is user-initiated, meaning the target must click a malicious link or visit a specially crafted page. Given the DOM-based nature, the payload manipulates the client-side environment without server-side reflection. [1]
Impact
Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These execute when any user visits the affected site, potentially leading to data theft, session hijacking, or defacement.
Mitigation
Users are strongly advised to update the plugin to a patched version beyond 1.6. If immediate update is not possible, consult your hosting provider or web developer for alternative mitigations. [1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.