{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67952", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:16.552Z", "datePublished": "2026-01-22T16:51:55.230Z", "dateUpdated": "2026-04-28T19:28:29.069Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "grandtour", "product": "Grand Tour", "vendor": "ThemeGoods", "versions": [{"changes": [{"at": "5.6.2", "status": "unaffected"}], "lessThanOrEqual": "5.6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:21.076Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.<p>This issue affects Grand Tour: from n/a through < 5.6.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.560Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Grand Tour theme < 5.6.2 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T01:02:05.263530Z", "id": "CVE-2025-67952", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:28:29.069Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T01:02:05.263530Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T01:02:20.293Z"}}], "cna": {"title": "WordPress Grand Tour theme < 5.6.2 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "ThemeGoods", "product": "Grand Tour", "versions": [{"status": "affected", "changes": [{"at": "5.6.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 5.6.2"}], "packageName": "grandtour", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-01-22T17:43:48.616Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.<p>This issue affects Grand Tour: from n/a through < 5.6.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-01-22T16:51:55.230Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67952", "state": "PUBLISHED", "dateUpdated": "2026-01-29T01:02:24.298Z", "dateReserved": "2025-12-15T10:00:16.552Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:55.230Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2."}, {"lang": "es", "value": "Neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('cross-site scripting') vulnerabilidad en ThemeGoods Grand Tour grandtour permite XSS reflejado. Este problema afecta a Grand Tour: desde n/a hasta &lt; 5.6.2."}], "id": "CVE-2025-67952", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:04.657", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:33:10.989343+00:00", "value": {"mitigation_remediation": ["Upgrade the Grand Tour theme to version\u202f5.6.2 or later", "If immediate upgrade is not possible, disable the Grand Tour theme or switch to a different theme to prevent the vulnerable code from executing", "Apply a content\u2011security\u2011policy header that limits script execution to trusted origins as an additional defense"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (injection of malicious scripts into reflected content)"}, "threat_synthesis": {"affected_systems": "The issue affects the ThemeGoods Grand Tour WordPress theme for all versions from initial release through versions lower than 5.6.2. Users running any of those pre\u20115.6.2 releases are vulnerable; newer or patched releases are not affected.", "description_and_impact": "The vulnerability is an instance of improper input neutralization that results in reflected Cross\u2011Site Scripting. An attacker can craft a URL that includes malicious JavaScript; when an affected user visits that URL, the script runs in the victim\u2019s browser with the same privileges as the user view. This can lead to theft of session cookies, defacement of content, or the execution of arbitrary code on the client side. The weakness is categorized as CWE\u201179, which highlights the lack of sanitization in generating the response page.", "risk_and_exploitability": "The CVSS score of 7.1 denotes high severity, and the EPSS score indicates a very low probability of mass exploitation at present. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the most likely attack vector is a reflected XSS attack triggered via a maliciously crafted link sent to unsuspecting users. Successful exploitation requires the victim to click the link and view the resulting page, after which client\u2011side code executes."}}}}, "created": "2026-01-23T16:31:12.532340+00:00", "updated": "2026-04-27T21:45:14.519861+00:00", "vendors": ["themegoods", "themegoods$PRODUCT$grand_tour", "wordpress", "wordpress$PRODUCT$wordpress"]}