{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67918", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:40.762Z", "datePublished": "2026-01-08T09:17:45.942Z", "dateUpdated": "2026-04-28T16:14:23.604Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woffice", "product": "Woffice", "vendor": "WofficeIO", "versions": [{"changes": [{"at": "5.4.31", "status": "unaffected"}], "lessThanOrEqual": "5.4.30", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:36.164Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.<p>This issue affects Woffice: from n/a through <= 5.4.30.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:23.604Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/woffice/vulnerability/wordpress-woffice-theme-5-4-30-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Woffice theme <= 5.4.30 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T14:55:45.445075Z", "id": "CVE-2025-67918", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:01:42.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67918", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T14:55:45.445075Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:55:48.147Z"}}], "cna": {"title": "WordPress Woffice theme <= 5.4.30 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WofficeIO", "product": "Woffice", "versions": [{"status": "affected", "changes": [{"at": "5.4.31", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.4.30"}], "packageName": "woffice", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:36.164Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/woffice/vulnerability/wordpress-woffice-theme-5-4-30-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.<p>This issue affects Woffice: from n/a through <= 5.4.30.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:54.528Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67918", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:01:42.233Z", "dateReserved": "2025-12-15T09:59:40.762Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T09:17:45.942Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30."}], "id": "CVE-2025-67918", "lastModified": "2026-04-27T18:16:48.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:50.720", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/woffice/vulnerability/wordpress-woffice-theme-5-4-30-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:19:09.199987+00:00", "value": {"mitigation_remediation": ["Update the Woffice theme to version 5.4.31 or later to remove the XSS bug.", "Ensure that all theme input fields are properly encoded or sanitized before rendering to prevent future injection attempts.", "Apply a reputable WordPress security plugin that provides XSS filtering and content security policy enforcement to add an additional safeguard."], "summary": {"action": "Apply Patch", "impact": "Cross-site Scripting (Reflected XSS)"}, "threat_synthesis": {"affected_systems": "WofficeIO\u2019s Woffice theme for WordPress is vulnerable in all versions from the initial release through 5.4.30. Any site utilizing the theme in these versions is impacted and should be considered for remediation.", "description_and_impact": "Improper Neutralization of Input During Web Page Generation allows an attacker to inject malicious scripts into pages served by the affected WordPress theme. The reflected XSS flaw can execute arbitrary code within the context of a victim\u2019s browser, potentially compromising session data, defacing content, or facilitating phishing attacks. The weakness is identified as CWE\u201179, reflecting the reliance on untrusted user input without proper output encoding.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. However, the vulnerability is present in all legacy theme versions and is not listed in the CISA KEV catalog. An attacker can likely exploit the flaw via a crafted URL that includes malicious user input, leading to reflected XSS in the victim\u2019s browser. While exploitation potential is moderate, the widespread use of the theme warrants timely patching."}}}}, "created": "2026-01-09T13:25:05.766131+00:00", "updated": "2026-04-28T18:30:37.323550+00:00", "vendors": ["wofficeio", "wofficeio$PRODUCT$woffice_core", "wordpress", "wordpress$PRODUCT$wordpress"]}