CVE-2025-67952
Published: 22 January 2026
Summary
CVE-2025-67952 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-67952 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as CWE-79, enabling Reflected Cross-Site Scripting (XSS) in the Grand Tour WordPress theme developed by ThemeGoods. The issue affects all versions of the Grand Tour theme from its initial release (n/a) through versions prior to 5.6.2. It carries a CVSS v3.1 base score of 7.1, reflecting network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), user interaction needed (UI:R), changed scope (S:C), and low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L).
An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing a reflected XSS payload and tricking a user into visiting it on a site running the vulnerable Grand Tour theme. Upon interaction, such as clicking the link, the payload executes in the victim's browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or deface the page, with impacts escalated due to the scope change affecting the browser or related components.
Patchstack advisories indicate that the vulnerability is fixed in Grand Tour theme version 5.6.2, recommending immediate updates to this or later versions for mitigation. No additional workarounds are specified in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4035
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing web app enables exploitation via malicious links (T1190/T1566.002), JS execution (T1059.007), and session cookie theft (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input before it is used in web page generation, blocking the reflected XSS payload in Grand Tour.
Requires filtering of information output to web clients, preventing malicious script execution from unsanitized reflected content.
Mandates timely remediation of known flaws, directly addressed by updating Grand Tour to version 5.6.2 or later that corrects the CWE-79 defect.