{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68078", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:24.073Z", "datePublished": "2025-12-16T08:13:04.573Z", "dateUpdated": "2026-04-28T19:58:30.795Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "salient-portfolio", "product": "Salient Portfolio", "vendor": "ThemeNectar", "versions": [{"changes": [{"at": "1.8.3", "status": "unaffected"}], "lessThanOrEqual": "1.8.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:25.153Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.<p>This issue affects Salient Portfolio: from n/a through <= 1.8.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.274Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/salient-portfolio/vulnerability/wordpress-salient-portfolio-theme-1-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Salient Portfolio theme <= 1.8.2 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T14:54:06.223815Z", "id": "CVE-2025-68078", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:58:30.795Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68078", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T14:54:06.223815Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T14:54:48.396Z"}}], "cna": {"title": "WordPress Salient Portfolio theme <= 1.8.2 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeNectar", "product": "Salient Portfolio", "versions": [{"status": "affected", "changes": [{"at": "1.8.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.8.2"}], "packageName": "salient-portfolio", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:25.153Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/salient-portfolio/vulnerability/wordpress-salient-portfolio-theme-1-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.<p>This issue affects Salient Portfolio: from n/a through <= 1.8.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:28.274Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68078", "state": "PUBLISHED", "dateUpdated": "2026-04-28T19:58:30.795Z", "dateReserved": "2025-12-15T10:01:24.073Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:13:04.573Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2."}], "id": "CVE-2025-68078", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-16T09:16:02.817", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/salient-portfolio/vulnerability/wordpress-salient-portfolio-theme-1-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:16:21.328911+00:00", "value": {"mitigation_remediation": ["Upgrade Salient Portfolio to version 1.8.3 or later, which resolves the XSS issue. ", "If the upgrade is not possible, temporarily deactivate or remove the Salient Portfolio theme to eliminate the vulnerability. ", "Ensure that only trusted users have permissions to create or edit portfolio items, limiting the ability to inject malicious payloads. ", "Implement a Content Security Policy that blocks inline scripts and restricts script sources, providing a defense in depth measure."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "ThemeNectar Salient Portfolio theme for WordPress, versions from unversioned releases up to and including 1.8.2 are affected. Earlier versions lack explicit numbering in the CNA data.", "description_and_impact": "An attacker can inject malicious script that is stored and then served to any user who views the vulnerable content. The script runs in the victim\u2019s browser context, potentially exposing session cookies, performing phishing, or loading additional malware. The vulnerability is a classic stored XSS (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity. An EPSS score of under 1% shows that, at present, the exploitation probability is low but not zero. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker who can create or edit portfolio items, entering a payload that is stored in the database and later rendered in a web page. The exposure is limited to browsers rendering the malicious content, but the effect can reach many users who view the affected portfolio items."}}}}, "created": "2025-12-16T17:09:27.290947+00:00", "updated": "2026-04-27T22:30:14.449287+00:00", "vendors": ["themenectar", "themenectar$PRODUCT$salient_core", "wordpress", "wordpress$PRODUCT$wordpress"]}