Cross-Site Scripting Vulnerability in Porto Theme Functionality by Porto Themes
CVE-2025-63066

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Porto Theme - Functionality
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-63066?

A Cross-Site Scripting (XSS) vulnerability exists in the Porto Theme - Functionality, allowing malicious users to inject arbitrary scripts into web pages viewed by other users. This vulnerability occurs due to improper sanitization of user input, potentially leading to unauthorized access to sensitive information and the manipulation of web interface behavior. The flaw affects all versions of the Porto Theme – Functionality from n/a up to and including version 3.6.2, making it crucial for website administrators to review and apply the necessary updates to safeguard their applications.

Affected Version(s)

Porto Theme - Functionality <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/port...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Oct 24, 2025

Credit

João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program

JSON