CVE-2026-57725
Received Received - Intake

Stored XSS in Themeum Kirki Toolkit

Vulnerability report for CVE-2026-57725, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Kirki kirki allows Stored XSS.This issue affects Kirki: from n/a through <= 6.0.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
themeum kirki From 6.0.0 (inc) to 6.0.11 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross Site Scripting (XSS) issue found in the WordPress Kirki Plugin versions 6.0.11 and below. It occurs due to improper neutralization of input during web page generation, allowing attackers to inject malicious scripts into the website.

When a visitor accesses the affected site, these malicious scripts can execute, potentially causing harmful actions such as redirects or displaying unwanted content.

Exploitation requires a privileged user to interact with a specially crafted link, page, or form.

The issue has been fixed in version 6.0.12, and users are advised to update immediately.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject and execute malicious scripts on your website.

  • Attackers could redirect visitors to malicious sites.
  • Unwanted or harmful content could be displayed to your users.
  • It may lead to compromised user trust and damage to your website's reputation.

Successful exploitation requires interaction by a privileged user, which means attackers might leverage social engineering or other tactics to trigger the vulnerability.

Detection Guidance

Detection of this Cross-site Scripting (XSS) vulnerability in the WordPress Kirki Plugin involves monitoring for unusual script injections or unexpected behavior on web pages generated by the plugin.

Since the vulnerability requires a privileged user to interact with crafted links, pages, or forms, you can look for suspicious input or payloads in HTTP requests targeting the Kirki plugin.

Specific commands are not provided in the available resources, but general approaches include using web vulnerability scanners that detect XSS, inspecting web server logs for suspicious requests, and using tools like curl or wget to test input fields for script injection.

Mitigation Strategies

The immediate and recommended mitigation step is to update the WordPress Kirki Plugin to version 6.0.12 or later, where this vulnerability has been patched.

For those unable to update immediately, Patchstack has provided a mitigation rule that can be applied to help reduce the risk of exploitation.

Additionally, restricting privileged user interactions with untrusted links or forms and monitoring for suspicious activity can help mitigate potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart