CVE-2025-69391
Awaiting Analysis Awaiting Analysis - Queue
Reflected XSS in GT3themes Diamond ≀ 2.4.8 Allows Code Injection

Publication date: 2026-02-20

Last updated on: 2026-02-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69391
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gt3themes diamond to 2.4.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69391 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress Diamond Theme versions up to and including 2.4.8.

This vulnerability allows unauthenticated attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into websites using the vulnerable theme.

These malicious scripts execute when site visitors access the compromised pages, potentially leading to harmful effects.

The vulnerability is classified under OWASP Top 10 A3: Injection and has a CVSS score of 7.1, indicating moderate severity.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website without authentication.

Such scripts can perform harmful actions like redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information.

Exploitation requires user interaction, such as clicking a malicious link or submitting a crafted form.

If exploited, it can compromise the security and trustworthiness of your website, potentially harming your users and your reputation.

No official patch is currently available, so mitigation involves applying Patchstack’s mitigation rule or removing and replacing the vulnerable theme.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a reflected Cross Site Scripting (XSS) issue affecting the WordPress Diamond Theme up to version 2.4.8. Detection typically involves testing for injection of malicious scripts in web page inputs that are reflected without proper neutralization.

While no specific commands are provided in the available resources, common detection methods include using web vulnerability scanners or manual testing by injecting typical XSS payloads (e.g., <script>alert(1)</script>) into URL parameters or form inputs on pages using the vulnerable theme and observing if the script executes.

Network detection might involve monitoring HTTP requests and responses for suspicious script injections or unusual redirects triggered by malicious payloads.

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include applying Patchstack's mitigation rule designed to block attacks exploiting this vulnerability until an official patch is released."}, {'type': 'paragraph', 'content': 'If applying the mitigation is not possible, users are advised to remove and replace the vulnerable Diamond theme entirely to protect their websites.'}, {'type': 'paragraph', 'content': 'Simply deactivating the theme does not remove the security risk unless Patchstack’s mitigation is applied.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart