CVE-2025-68538
Published: 22 January 2026
Summary
CVE-2025-68538 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-68538 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Cross-site Scripting (CWE-79), that enables DOM-Based XSS in the ThemeGoods Craft craftcoffee WordPress theme. This issue affects Craft versions from n/a through 2.3.6. The vulnerability carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.
Attackers can exploit this vulnerability remotely without authentication by tricking users into interacting with malicious input, such as via a crafted link or page that triggers DOM-based XSS execution in the victim's browser. Successful exploitation allows limited theft of sensitive data in the same context (e.g., session tokens), minor manipulation of page content or functionality, and negligible denial of service, all within a changed security scope due to the client-side nature of DOM-based attacks.
Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/craftcoffee/vulnerability/wordpress-craft-coffee-shop-cafe-restaurant-wordpress-theme-2-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which documents the vulnerability specific to the craftcoffee WordPress theme version 2.3.6. Security practitioners should update to a patched version of the theme if available and apply general XSS protections like Content Security Policy.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4000
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing WordPress theme directly enables exploitation of web apps (T1190) and browser session hijacking via stolen tokens/cookies (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the available patch to the craftcoffee theme to eliminate the vulnerable code that fails to neutralize input.
Enforces validation and sanitization of all web input before it reaches DOM sinks, directly blocking the improper neutralization that enables this DOM-based XSS.
Requires output filtering/encoding of untrusted data rendered in web pages, mitigating reflected/DOM XSS payloads even when input validation is incomplete.