CVE-2026-25373
Published: 25 March 2026
Summary
CVE-2026-25373 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-25373 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Vayvo WordPress theme developed by ProgressionStudios (vayvo-progression). This issue impacts all versions of the theme from n/a through those prior to 6.8. The vulnerability has a CVSS v3.1 base score of 7.1, reflecting network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), user interaction needed (UI:R), changed scope (S:C), and low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L).
Attackers can exploit this Reflected XSS vulnerability remotely over the network without authentication by tricking a user into interacting with a maliciously crafted link or input that reflects executable scripts back into the victim's browser. Successful exploitation allows limited theft of sensitive data (such as session cookies), minor manipulation of page content, or disruption of the user's session within the context of the affected site, leveraging the changed scope to potentially impact other users or site functionality.
The Patchstack advisory for this vulnerability, referenced at https://patchstack.com/database/Wordpress/Theme/vayvo-progression/vulnerability/wordpress-vayvo-media-streaming-membership-wordpress-theme-theme-6-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, indicates that the issue is resolved in Vayvo theme version 6.8, recommending immediate updates to patched versions for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15693
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a through < 6.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress theme enables remote exploitation of the app (T1190) via crafted malicious link requiring user interaction (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user inputs to block malicious script injection in reflected XSS attacks like CVE-2026-25373.
Mandates filtering of information outputs to neutralize executable scripts reflected from untrusted inputs in this XSS vulnerability.
Ensures timely remediation and patching of the specific XSS flaw in Vayvo theme versions prior to 6.8.