High severity7.1NVD Advisory· Published Feb 20, 2026· Updated Apr 15, 2026

CVE-2025-69330

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS vulnerability in WordPress Prestige theme before 1.4.1 allows attackers to inject malicious scripts via crafted URLs.

Vulnerability

Overview The Prestige WordPress theme before version 1.4.1 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows attackers to inject arbitrary JavaScript or HTML into the generated page.

Exploitation

Conditions The vulnerability is triggered when a user clicks a specially crafted link or visits a malicious page that includes a payload in a query parameter. No authentication is required from the attacker, but successful exploitation requires a privileged user (e.g., administrator) to interact with the crafted link [1]. The attack can be initiated remotely, and the user interaction is minimal.

Impact

If exploited, an attacker can execute arbitrary scripts in the context of the victim's session. This could lead to session hijacking, redirection to malicious sites, defacement, or injection of ads and other HTML payloads into the affected site [1]. The vulnerability is moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability has been patched in version 1.4.1 of the theme. Users are strongly advised to update immediately. If updating is not possible, a mitigation rule from Patchstack is available to block attacks until the update is applied [1].

References

Cross Site Scripting (XSS) in WordPress Prestige Theme

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Zyxel/Prestigellm-fuzzy
Range: < 1.4.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Theme/prestige/vulnerability/wordpress-prestige-theme-1-4-1-reflected-cross-site-scripting-xss-vulnerabilitynvd

News mentions

The Boring Stuff Is Dangerous Now
Dark Reading · May 18, 2026
TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)
SANS Internet Storm Center · Apr 27, 2026

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000