Cyber Resilience

CVE-2025-69317

High

Published: 22 January 2026

Published
22 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0006 20.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69317 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-69317 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the CarSpot WordPress theme developed by scriptsbundle. The issue impacts all versions of CarSpot from n/a through those prior to 2.4.6. It has a CVSS v3.1 base score of 7.1, rated as High severity, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

Remote attackers can exploit this vulnerability without authentication by crafting malicious input that is reflected back in the web page generation process. Exploitation requires user interaction, such as a victim clicking a specially crafted link or submitting tainted input on a site using the vulnerable theme. Successful attacks allow script execution in the victim's browser context, potentially leading to low-impact confidentiality, integrity, and availability effects due to the changed scope.

Patchstack advisories indicate that the vulnerability is addressed in CarSpot version 2.4.6, recommending site administrators update to this version or later to mitigate the risk.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Reflected XSS in public-facing WordPress theme directly enables exploitation of internet-facing application (T1190) and arbitrary JavaScript execution in victim browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all web input to block the malicious payloads that cause this reflected XSS.

prevent

Requires filtering of information output by the web application, preventing reflected script execution in the victim's browser.

SC-18 Mobile Code partial match
prevent

Restricts the use and execution of mobile code/scripts delivered via web pages, limiting the impact of unneutralized reflected input.

References