CVE-2025-31013
Deferred Deferred - Pending Action
Reflected Cross-Site Scripting in Themify Folo

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Folo allows Reflected XSS. This issue affects Themify Folo: from n/a through 1.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2025-31013
EUVD
EUVD-2025-210238
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themify folo From 1.0.0 (inc) to 1.9.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts on your website visitors' browsers.

  • Attackers can redirect visitors to malicious websites.
  • Attackers can display unwanted advertisements or other harmful content.
  • It can lead to loss of user trust and damage to your website's reputation.
  • Since the vulnerability has a CVSS score of 7.1, it represents a moderate risk and could be exploited in widespread attacks.
Detection Guidance

This vulnerability is a Reflected Cross Site Scripting (XSS) issue in the Themify Folo WordPress theme up to version 1.9.6. Detection typically involves monitoring for suspicious HTTP requests containing malicious script payloads or unusual URL parameters that could trigger the XSS.

Since the vulnerability requires user interaction such as clicking a malicious link or submitting a form, you can detect potential exploitation attempts by inspecting web server logs for unusual query strings or POST data containing script tags or JavaScript code.

Specific commands are not provided in the available resources, but common approaches include using tools like grep or specialized web application scanners to search for suspicious input patterns in logs or traffic.

Mitigation Strategies

Immediate mitigation steps include applying any available updates or patches to the Themify Folo theme. However, as of now, there is no official patch released by the theme developers.

Patchstack has provided a mitigation rule to block attacks targeting this vulnerability until an official fix is available.

It is advised to implement this mitigation rule, seek assistance from your hosting provider or a developer to apply temporary protections, and consider updating the theme as soon as an official patch is released.

Executive Summary

The WordPress Themify Folo Theme, versions up to and including 1.9.6, is vulnerable to a Cross Site Scripting (XSS) attack, specifically a Reflected XSS vulnerability.

This vulnerability allows attackers to inject malicious scripts into web pages generated by the theme. These scripts can execute when visitors access the affected site, potentially leading to redirects, displaying unwanted advertisements, or other malicious actions.

Exploitation requires user interaction, such as clicking a malicious link or submitting a form, and can be performed by unauthenticated users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-31013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart