{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69302", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:02.741Z", "datePublished": "2026-02-20T15:46:46.906Z", "dateUpdated": "2026-04-28T20:46:42.748Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "designthemes-core-features", "product": "DesignThemes Core Features", "vendor": "designthemes", "versions": [{"lessThanOrEqual": "2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:44.652Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.<p>This issue affects DesignThemes Core Features: from n/a through <= 2.3.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.This issue affects DesignThemes Core Features: from n/a through <= 2.3."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.093Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-core-features/vulnerability/wordpress-designthemes-core-features-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress DesignThemes Core Features plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T21:37:19.349899Z", "id": "CVE-2025-69302", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:46:42.748Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69302", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T21:37:19.349899Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T21:37:20.474Z"}}], "cna": {"title": "WordPress DesignThemes Core Features plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "designthemes", "product": "DesignThemes Core Features", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3"}], "packageName": "designthemes-core-features", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:44.652Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-core-features/vulnerability/wordpress-designthemes-core-features-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.This issue affects DesignThemes Core Features: from n/a through <= 2.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.<p>This issue affects DesignThemes Core Features: from n/a through <= 2.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:11.273Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69302", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:11.273Z", "dateReserved": "2025-12-31T20:12:02.741Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:46.906Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.This issue affects DesignThemes Core Features: from n/a through <= 2.3."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Inadecuada de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en DesignThemes Core Features permite XSS Reflejado. Este problema afecta a DesignThemes Core Features: desde n/a hasta &lt;= 2.3."}], "id": "CVE-2025-69302", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:18.030", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-core-features/vulnerability/wordpress-designthemes-core-features-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DesignThemes Core Features", "source": "cna", "vendor": "designthemes"}, "product": "designthemes_core_features", "vendor": "designthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:37:54.125004+00:00", "value": {"mitigation_remediation": ["Update the DesignThemes Core Features plugin to a version newer than 2.3, which incorporates the XSS fix.", "If an update cannot be applied immediately, disable or deactivate the DesignThemes Core Features plugin to remove the vulnerability until a patch is available.", "Apply strict input validation and output escaping on any plugin\u2011controlled content, or deploy a web application firewall rule that blocks reflected XSS payloads."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the DesignThemes Core Features WordPress plugin, version 2.3 and earlier. It affects all installations of the plugin up to and including 2.3. No other versions were listed as affected.", "description_and_impact": "Improper neutralization of input during web page generation, reflected use of user data without proper escaping, leads to a Cross\u2011Site Scripting (XSS) flaw in the DesignThemes Core Features plugin for WordPress. Attackers can inject malicious scripts into pages viewed by other users, enabling theft of session tokens, data exfiltration, or defacement.", "risk_and_exploitability": "The CVSS score is 7.1 indicating a high potential for exploitation. EPSS is less than 1%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is reflected XSS via plugin input fields or query parameters, inferred from the described lack of proper neutralization."}}}}, "created": "2026-02-23T14:37:42.917297+00:00", "updated": "2026-04-27T20:45:12.707649+00:00", "vendors": ["designthemes", "designthemes$PRODUCT$designthemes_core_features", "wordpress", "wordpress$PRODUCT$wordpress"]}