{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9371", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-22T19:43:31.721Z", "datePublished": "2025-10-09T11:20:56.887Z", "dateUpdated": "2026-04-08T17:34:16.131Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:16.131Z"}, "affected": [{"vendor": "MuffinGroup", "product": "Betheme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "28.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018page_title\u2019 parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Betheme <= 28.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'page_title'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9da9d45-39e2-4b07-baed-1f7d7f67602e?source=cve"}, {"url": "https://themeforest.net/item/betheme-responsive-multipurpose-wordpress-theme/7758048#item-description__version-28-1-7-september-3rd-2025"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Zbigniew Piotrak"}], "timeline": [{"time": "2025-08-22T20:00:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-09T14:32:44.375970Z", "id": "CVE-2025-9371", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T14:35:04.330Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9371", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-09T14:32:44.375970Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T14:33:31.239Z"}}], "cna": {"title": "Betheme <= 28.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'page_title'", "credits": [{"lang": "en", "type": "finder", "value": "Zbigniew Piotrak"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "MuffinGroup", "product": "Betheme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "28.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T20:00:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9da9d45-39e2-4b07-baed-1f7d7f67602e?source=cve"}, {"url": "https://themeforest.net/item/betheme-responsive-multipurpose-wordpress-theme/7758048#item-description__version-28-1-7-september-3rd-2025"}], "descriptions": [{"lang": "en", "value": "The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018page_title\u2019 parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:16.131Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9371", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:16.131Z", "dateReserved": "2025-08-22T19:43:31.721Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-09T11:20:56.887Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018page_title\u2019 parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9371", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-09T12:15:35.807", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/betheme-responsive-multipurpose-wordpress-theme/7758048#item-description__version-28-1-7-september-3rd-2025"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9da9d45-39e2-4b07-baed-1f7d7f67602e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:16:42.931837+00:00", "value": {"mitigation_remediation": ["Upgrade Betheme to 28.1.7 or later, which removes the unsanitized page_title handling.", "If immediate upgrade is infeasible, disable or sanitize the breadcrumb feature that outputs page titles to prevent stored scripts from rendering.", "Restrict Contributor or higher roles to trusted administrators, or remove the capability for these roles to edit page titles, so that only privileged users can change them."], "summary": {"action": "Patch Theme", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the Betheme WordPress theme from its first public release through version\u00a028.1.6 are affected. Sites running the theme on any WordPress installation with Contributor\u2011level access or higher are vulnerable to exploitation of this stored\u2011XSS flaw.", "description_and_impact": "Betheme is vulnerable to stored Cross\u2011Site Scripting because the page_title parameter is not properly sanitized when used in the theme\u2019s breadcrumbs. Authenticated users with Contributor role or higher can inject arbitrary JavaScript that is stored in the page title and executed automatically whenever the page is accessed by any visitor. This attack allows attackers to steal session cookies, deface the site, or execute further malicious actions in the context of visiting users.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while an EPSS score of less than 1% suggests a currently low probability of exploitation. However, because the vulnerability requires only contributor privileges\u2014a common role on many sites\u2014the risk of in\u2011site XSS remains significant for administrators who have granted such permissions. The flaw is not yet listed in the CISA KEV catalog, but any user who injects malicious content can infect all subsequent visitors to the affected pages, potentially leading to credential theft or site defacement."}}}}, "created": "2025-10-10T11:18:25.147910+00:00", "updated": "2026-04-20T19:30:06.157481+00:00", "vendors": ["muffingroup", "muffingroup$PRODUCT$betheme", "wordpress", "wordpress$PRODUCT$wordpress"]}