Stored Cross-Site Scripting Vulnerability in WordPress Plugin by Vendor
CVE-2025-1798

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Design-comuni-WordPress-theme
Vendor: CVE Published:; 25 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

This vulnerability arises from insufficient sanitization and escaping of certain parameters during page output, which could allow unauthenticated users to execute stored Cross-Site Scripting (XSS) attacks. If exploited, attackers can manipulate user sessions, deliver malicious payloads, or interact with sensitive data on the compromised site.

Affected Version(s)

design-comuni-wordpress-theme 0 < 1.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-1798 - Proof of Concept

References

https://wpscan.com/vulnerability/c5c30191-857c-419c-9096-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Mar 25, 2025
👾
Exploit known to exist
Mar 25, 2025
Vulnerability published
Mar 25, 2025
Vulnerability Reserved
Feb 28, 2025

Credit

Filippo Decortes (Bitcube Security)

WPScan