{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67972", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:28.856Z", "datePublished": "2026-02-20T15:46:29.103Z", "dateUpdated": "2026-04-28T19:30:32.618Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "prague-plugins", "product": "Prague", "vendor": "fox-themes", "versions": [{"changes": [{"at": "2.2.9", "status": "unaffected"}], "lessThanOrEqual": "2.2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:34.288Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.<p>This issue affects Prague: from n/a through <= 2.2.8.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.944Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/prague-plugins/vulnerability/wordpress-prague-plugin-2-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Prague plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T21:46:48.558132Z", "id": "CVE-2025-67972", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:30:32.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T21:46:48.558132Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T21:46:49.632Z"}}], "cna": {"title": "WordPress Prague plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "fox-themes", "product": "Prague", "versions": [{"status": "affected", "changes": [{"at": "2.2.9", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.2.8"}], "packageName": "prague-plugins", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-02-20T16:44:08.204Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/prague-plugins/vulnerability/wordpress-prague-plugin-2-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.<p>This issue affects Prague: from n/a through <= 2.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-20T15:46:29.103Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67972", "state": "PUBLISHED", "dateUpdated": "2026-02-23T21:48:05.989Z", "dateReserved": "2025-12-15T10:00:28.856Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:29.103Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en fox-themes Prague prague-plugins permite XSS Reflejado. Este problema afecta a Prague: desde n/d hasta &lt;= 2.2.8."}], "id": "CVE-2025-67972", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:03.430", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/prague-plugins/vulnerability/wordpress-prague-plugin-2-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Prague", "source": "cna", "vendor": "fox-themes"}, "product": "prague", "vendor": "fox-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:59:35.311304+00:00", "value": {"mitigation_remediation": ["Upgrade the Prague plugin to any version newer than 2.2.8, which contains the vendor\u2011provided fix.", "If an upgrade cannot be applied immediately, ensure that all user\u2011supplied data processed by the plugin is properly sanitized or escaped so that script elements are neutralized before rendering.", "Deploy a Web Application Firewall or enforce a Content Security Policy that blocks inline script execution from untrusted sources to mitigate any remaining XSS vectors."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Affects the Prague WordPress plugin developed by fox\u2011themes. All supported releases up to version 2.2.8 are vulnerable. The vulnerability is present in any installation using a Prague plugin older than 2.2.9. No other versions are listed as affected.\n", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject arbitrary script code that is reflected back to the user. This reflected XSS flaw can lead to theft of user session cookies, defacement of the site, or phishing attacks performed in the victim\u2019s browser context. The weakness is classified under CWE\u201179 and has a CVSS score of 7.1, indicating a high severity.\n", "risk_and_exploitability": "The EPSS score of less than 1% indicates that exploitation attempts are expected to be very rare, and the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is a web\u2011based exploit, where an attacker lures a user to visit a crafted URL or submit a form that causes the plugin to echo untrusted input back to the page. Given the high CVSS score, the risk remains significant if the plugin is in use on a public website, but the low EPSS and lack of known active exploits reduce the immediate threat.\n"}}}}, "created": "2026-02-23T14:46:25.630209+00:00", "updated": "2026-04-27T21:00:13.181978+00:00", "vendors": ["fox-themes", "fox-themes$PRODUCT$prague", "wordpress", "wordpress$PRODUCT$wordpress"]}