CVE-2025-69317
Published: 22 January 2026
Summary
CVE-2025-69317 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-69317 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the CarSpot WordPress theme developed by scriptsbundle. The issue impacts all versions of CarSpot from n/a through those prior to 2.4.6. It has a CVSS v3.1 base score of 7.1, rated as High severity, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
Remote attackers can exploit this vulnerability without authentication by crafting malicious input that is reflected back in the web page generation process. Exploitation requires user interaction, such as a victim clicking a specially crafted link or submitting tainted input on a site using the vulnerable theme. Successful attacks allow script execution in the victim's browser context, potentially leading to low-impact confidentiality, integrity, and availability effects due to the changed scope.
Patchstack advisories indicate that the vulnerability is addressed in CarSpot version 2.4.6, recommending site administrators update to this version or later to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3887
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress theme directly enables exploitation of internet-facing application (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all web input to block the malicious payloads that cause this reflected XSS.
Requires filtering of information output by the web application, preventing reflected script execution in the victim's browser.
Restricts the use and execution of mobile code/scripts delivered via web pages, limiting the impact of unneutralized reflected input.