CVE-2025-69367
Published: 20 February 2026
Summary
CVE-2025-69367 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-69367 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling DOM-based Cross-site Scripting (XSS, CWE-79), in the GT3themes Oyster - Photography WordPress Theme. The issue affects the Oyster theme from unknown initial versions through version 4.4.3 inclusive. Published on 2026-02-20, it carries a CVSS v3.1 base score of 7.1.
Attackers can exploit this remotely over the network (AV:N) with low complexity (AC:L) and no required privileges (PR:N), though user interaction is necessary (UI:R). Exploitation changes scope (S:C), potentially leading to low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), such as executing scripts in the victim's browser context via manipulated inputs during web page generation.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/oyster/vulnerability/wordpress-oyster-photography-wordpress-theme-theme-4-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this vulnerability in the Oyster theme up to version 4.4.3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207572
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Oyster - Photography WordPress Theme oyster allows DOM-Based XSS.This issue affects Oyster - Photography WordPress Theme: from n/a through <= 4.4.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing WordPress theme directly enables remote script execution (T1059.007) via web app exploitation (T1190) and drive-by compromise (T1189).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input before it is used in web page generation, blocking the DOM-based XSS flaw in the Oyster theme.
Requires filtering or encoding of information output during web page generation, preventing attacker-supplied scripts from executing in the victim's browser context.
Provides malicious code detection and blocking mechanisms that can identify and stop injected scripts associated with this XSS vulnerability.