{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4776", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-15T13:59:30.119Z", "datePublished": "2026-01-06T06:36:26.455Z", "dateUpdated": "2026-04-08T17:13:06.492Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:06.492Z"}, "affected": [{"vendor": "averta", "product": "Phlox", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.17.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Phlox <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a49f8150-a27d-4801-8923-31af335c3cbd?source=cve"}, {"url": "https://themes.trac.wordpress.org/changeset/300858/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-05-13T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-07T11:18:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T17:35:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:23:03.368643Z", "id": "CVE-2025-4776", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:23:11.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4776", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T14:23:03.368643Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:23:08.661Z"}}], "cna": {"title": "Phlox <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "averta", "product": "Phlox", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.17.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-13T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-07T11:18:33.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T17:35:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a49f8150-a27d-4801-8923-31af335c3cbd?source=cve"}, {"url": "https://themes.trac.wordpress.org/changeset/300858/"}], "descriptions": [{"lang": "en", "value": "The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:06.492Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4776", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:06.492Z", "dateReserved": "2025-05-15T13:59:30.119Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T06:36:26.455Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-4776", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-06T07:15:43.020", "references": [{"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset/300858/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a49f8150-a27d-4801-8923-31af335c3cbd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:18:35.599214+00:00", "value": {"mitigation_remediation": ["Upgrade Phlox to version 2.18 or later, which removes the vulnerable handling of the data-caption attribute.", "If an upgrade is not immediately possible, remove or sanitize any data-caption attributes in the theme templates, ensuring that all user input is properly escaped before rendering.", "Limit Contributor role permissions to prevent untrusted users from editing theme content, or use a role\u2011based restriction plugin to block form or media editing capabilities for contributors."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Phlox WordPress theme using version 2.17.7 or earlier are vulnerable. The affected product vendor is averta, and the issue arises in the theme\u2019s handling of data\u2011caption attributes across all supported WordPress versions. Users with Contributor\u2011level access or higher can exploit this flaw.\n", "description_and_impact": "The Phlox theme for WordPress contains a stored cross\u2011site scripting flaw that allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript into the page via the data\u2011caption attribute. The injected script is rendered and executed when any visitor loads the affected page, enabling attackers to hijack user sessions, exfiltrate data, deface content, or redirect users to malicious sites. The weakness is a classic input validation and output escaping failure cataloged as CWE\u201179.", "risk_and_exploitability": "The vulnerability is assigned a CVSS score of 6.4, indicating moderate severity, and has an EPSS score of less than 1\u202f%, suggesting a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with at least Contributor permissions, so lateral movement into content editing is a prerequisite. Once achieved, the attacker can embed malicious scripts that execute in any visitor\u2019s browser, making the danger particularly high within high\u2011traffic sites."}}}}, "created": "2026-01-06T14:15:50.790329+00:00", "updated": "2026-04-20T21:30:18.566061+00:00", "vendors": ["averta", "averta$PRODUCT$phlox", "wordpress", "wordpress$PRODUCT$wordpress"]}