CVE-2025-68538
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-29

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68538
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
themegoods craft to 2.3.6 (inc)
themegoods craft From 2.3.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68538 is a Cross Site Scripting (XSS) vulnerability in the WordPress Craft Theme (craftcoffee) versions up to 2.3.6. It allows an unauthenticated attacker to inject malicious scripts, such as redirects or advertisements, into a website. These scripts execute when visitors access the site, potentially compromising user interactions. Exploitation requires user interaction, like clicking a malicious link or visiting a crafted page. [1]

Impact Analysis

This vulnerability can lead to malicious scripts running in the context of your website, which can result in unauthorized redirects, display of unwanted advertisements, or theft of sensitive information from users. It can degrade user trust, harm your website's reputation, and potentially expose users to further attacks. [1]

Detection Guidance

Detection of this DOM-Based XSS vulnerability can involve monitoring for suspicious script injections or unusual URL parameters that trigger script execution in the affected Craft Theme versions up to 2.3.6. Since it involves user interaction with crafted links or forms, you can use web application security scanners or proxy tools like OWASP ZAP or Burp Suite to test for reflected XSS by sending crafted requests to the site. Additionally, inspecting web server logs for unusual query parameters or payloads may help. Specific commands are not provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the Craft Theme to version 2.3.7 or later, where the vulnerability is fixed. Until the update can be applied, you can use the mitigation rule provided by Patchstack to block attacks targeting this vulnerability, offering rapid protection. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68538. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart