CVE-2025-69391
Reflected XSS in GT3themes Diamond β€ 2.4.8 Allows Code Injection
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gt3themes | diamond | to 2.4.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69391 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress Diamond Theme versions up to and including 2.4.8.
This vulnerability allows unauthenticated attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto websites using the vulnerable theme.
These malicious scripts execute when site visitors access the compromised pages, potentially leading to harmful effects.
The vulnerability is classified under OWASP Top 10 A3: Injection and has a CVSS score of 7.1, indicating moderate severity.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website without authentication.
Such scripts can perform harmful actions like redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information.
Exploitation requires user interaction, such as clicking a malicious link or submitting a crafted form.
If exploited, it can compromise the security and trustworthiness of your website, potentially harming your users and your reputation.
No official patch is currently available, so mitigation involves applying Patchstackβs mitigation rule or removing and replacing the vulnerable theme.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross Site Scripting (XSS) issue affecting the WordPress Diamond Theme up to version 2.4.8. Detection typically involves testing for injection of malicious scripts in web page inputs that are reflected without proper neutralization.
While no specific commands are provided in the available resources, common detection methods include using web vulnerability scanners or manual testing by injecting typical XSS payloads (e.g., <script>alert(1)</script>) into URL parameters or form inputs on pages using the vulnerable theme and observing if the script executes.
Network detection might involve monitoring HTTP requests and responses for suspicious script injections or unusual redirects triggered by malicious payloads.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include applying Patchstack's mitigation rule designed to block attacks exploiting this vulnerability until an official patch is released."}, {'type': 'paragraph', 'content': 'If applying the mitigation is not possible, users are advised to remove and replace the vulnerable Diamond theme entirely to protect their websites.'}, {'type': 'paragraph', 'content': 'Simply deactivating the theme does not remove the security risk unless Patchstackβs mitigation is applied.'}] [1]