CVE-2026-25350
Published: 25 March 2026
Summary
CVE-2026-25350 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-25350 is an improper neutralization of input during web page generation vulnerability, specifically a reflected cross-site scripting (XSS) issue classified under CWE-79, in the skygroup Miti WordPress theme. It affects Miti versions from n/a through those prior to 1.5.3.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can leverage reflected XSS to inject and execute arbitrary scripts in a victim's browser within the site's context, potentially compromising low levels of confidentiality, integrity, and availability due to the changed scope.
The Patchstack advisory details that this reflected XSS vulnerability in the WordPress Miti theme is addressed in version 1.5.3, recommending an update to this or later versions for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15665
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Miti miti allows Reflected XSS.This issue affects Miti: from n/a through < 1.5.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress theme directly enables remote exploitation of the web app (T1190) to inject/execute arbitrary JavaScript (T1059.007) in the victim's browser context via crafted links.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper neutralization of input during web page generation by filtering outputs to prevent reflected XSS script injection.
Validates web inputs to reject or sanitize malicious payloads that could lead to reflected XSS execution.
Mandates timely flaw remediation, such as patching the Miti theme to version 1.5.3 or later, to eliminate the specific XSS vulnerability.