{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69343", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:28.142Z", "datePublished": "2026-03-05T05:53:32.181Z", "dateUpdated": "2026-04-28T20:54:34.061Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "theatre", "product": "Theater for WordPress", "vendor": "Jeroen Schmit", "versions": [{"changes": [{"at": "0.19.1", "status": "unaffected"}], "lessThanOrEqual": "0.19", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:01.270Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.<p>This issue affects Theater for WordPress: from n/a through <= 0.19.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.250Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Theater for WordPress plugin <= 0.19 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:14:00.097611Z", "id": "CVE-2025-69343", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:54:34.061Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69343", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:14:00.097611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:11:47.584Z"}}], "cna": {"title": "WordPress Theater for WordPress plugin <= 0.19 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "Jeroen Schmit", "product": "Theater for WordPress", "versions": [{"status": "affected", "changes": [{"at": "0.19.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "0.19"}], "packageName": "theatre", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:01.270Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.<p>This issue affects Theater for WordPress: from n/a through <= 0.19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:19.343Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69343", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:19.343Z", "dateReserved": "2025-12-31T20:12:28.142Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:32.181Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Jeroen Schmit Theater para WordPress theatre permite XSS Almacenado. Este problema afecta a Theater for WordPress: desde n/a hasta &lt;= 0.19."}], "id": "CVE-2025-69343", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:12.820", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.19]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.19.1"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Theater for WordPress", "source": "cna", "vendor": "Jeroen Schmit"}, "product": "theater_for_wordpress", "vendor": "jeroen_schmit"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:02:26.813086+00:00", "value": {"mitigation_remediation": ["Upgrade Theater for WordPress to a version newer than 0.19.", "Disable the plugin until a fix is available if an upgrade cannot be performed.", "Apply a web application firewall or enforce a strict Content Security Policy to block scripted payloads generated by the plugin."], "summary": {"action": "Patch", "impact": "Stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Theater for WordPress plugin by Jeroen Schmit version 0.19 and all earlier releases. Administrators should verify whether their site runs this plugin version and consider it exposed until a patch is applied.", "description_and_impact": "An attacker can inject malicious script into the Theater for WordPress plugin, which is then stored and served to any user who views the affected page. The stored XSS flaw allows arbitrary JavaScript execution within the victim\u2019s browser, potentially leading to session hijacking, credential theft, or defacement. The weakness is a classic type of input validation failure, documented as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% shows the estimated exploitation probability is very low at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to supply arbitrary input that is accepted and rendered by the plugin, such as via user comments, post content, or widget fields. When such input is loaded, the browser executes the embedded script, compromising the victim\u2019s session and data."}}}}, "created": "2026-03-06T15:14:51.621526+00:00", "updated": "2026-04-27T20:15:12.261089+00:00", "vendors": ["jeroen_schmit", "jeroen_schmit$PRODUCT$theater_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}