{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67964", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:23.852Z", "datePublished": "2026-01-22T16:51:58.200Z", "dateUpdated": "2026-04-28T19:29:46.952Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "homey-core", "product": "Homey Core", "vendor": "favethemes", "versions": [{"changes": [{"at": "2.4.4", "status": "unaffected"}], "lessThanOrEqual": "2.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:31.508Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.<p>This issue affects Homey Core: from n/a through <= 2.4.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.928Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Homey Core plugin <= 2.4.3 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T23:58:39.127634Z", "id": "CVE-2025-67964", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:29:46.952Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67964", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T23:58:39.127634Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T23:58:30.239Z"}}], "cna": {"title": "WordPress Homey Core plugin <= 2.4.3 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "favethemes", "product": "Homey Core", "versions": [{"status": "affected", "changes": [{"at": "2.4.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.4.3"}], "packageName": "homey-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:31.508Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.<p>This issue affects Homey Core: from n/a through <= 2.4.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:11:37.472Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67964", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:11:37.472Z", "dateReserved": "2025-12-15T10:00:23.852Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:51:58.200Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en favethemes Homey Core homey-core permite XSS Reflejado. Este problema afecta a Homey Core: desde n/a hasta &lt;= 2.4.3."}], "id": "CVE-2025-67964", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:05.993", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:30:20.976551+00:00", "value": {"mitigation_remediation": ["Upgrade Homey Core to the latest available version, which contains the input validation fix.", "If upgrading immediately is not feasible, block or sanitize the specific user\u2011supplied fields that trigger the reflection, or temporarily disable the affected functionality in active installations.", "Implement a Content\u2011Security\u2011Policy that disallows inline scripting to reduce the impact while the patch remains pending."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (Reflected)"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin Homey Core from favethemes. All installations running version 2.4.3 or earlier are impacted; the issue originates with the plugin\u2019s handling of user\u2011supplied input in the file rendering logic.", "description_and_impact": "The vulnerability is an instance of improper neutralization of input during web page generation, classified as CWE\u201179. It allows an attacker to inject malicious JavaScript that is reflected back to the user\u2019s browser when a crafted URL or input is processed. The effect is that a victim who opens the malicious link will have the script executed in their browser context, enabling an attacker to hijack sessions, steal credentials, or deface the site.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high\u2011to\u2011medium risk severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit the reflected XSS by directing a victim to a specially crafted URL or by submitting malicious input that the plugin mistakenly renders without proper sanitization. The simplicity of the attack vector (any user who visits the URL) means that defenses should focus on patching and sanitization rather than relying on defensive perimeter controls alone."}}}}, "created": "2026-01-23T16:30:25.910087+00:00", "updated": "2026-04-27T21:45:14.514875+00:00", "vendors": ["favethemes", "favethemes$PRODUCT$homey", "wordpress", "wordpress$PRODUCT$wordpress"]}