Cyber Resilience

CVE-2025-68538

High

Published: 22 January 2026

Published
22 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0002 5.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68538 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-68538 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Cross-site Scripting (CWE-79), that enables DOM-Based XSS in the ThemeGoods Craft craftcoffee WordPress theme. This issue affects Craft versions from n/a through 2.3.6. The vulnerability carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

Attackers can exploit this vulnerability remotely without authentication by tricking users into interacting with malicious input, such as via a crafted link or page that triggers DOM-based XSS execution in the victim's browser. Successful exploitation allows limited theft of sensitive data in the same context (e.g., session tokens), minor manipulation of page content or functionality, and negligible denial of service, all within a changed security scope due to the client-side nature of DOM-based attacks.

Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/craftcoffee/vulnerability/wordpress-craft-coffee-shop-cafe-restaurant-wordpress-theme-2-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which documents the vulnerability specific to the craftcoffee WordPress theme version 2.3.6. Security practitioners should update to a patched version of the theme if available and apply general XSS protections like Content Security Policy.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS in public-facing WordPress theme directly enables exploitation of web apps (T1190) and browser session hijacking via stolen tokens/cookies (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79
CVE-2026-34564Shared CWE-79
CVE-2025-23744Shared CWE-79
CVE-2025-23923Shared CWE-79
CVE-2025-23905Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the available patch to the craftcoffee theme to eliminate the vulnerable code that fails to neutralize input.

prevent

Enforces validation and sanitization of all web input before it reaches DOM sinks, directly blocking the improper neutralization that enables this DOM-based XSS.

prevent

Requires output filtering/encoding of untrusted data rendered in web pages, mitigating reflected/DOM XSS payloads even when input validation is incomplete.

References