CVE-2025-60101 identifies a stored Cross-site Scripting (XSS) vulnerability in the Woostify WordPress theme developed by duongancol, affecting all versions up to and including 2.4.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is stored persistently on the website. When other users or administrators visit the compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. Stored XSS is particularly dangerous because the payload remains on the server and affects multiple users over time. The vulnerability does not require authentication, increasing the attack surface, and no user interaction beyond visiting the affected page is necessary to trigger the exploit. Although no public exploits have been reported yet, the widespread use of WordPress and the popularity of the Woostify theme in e-commerce and content-driven sites elevate the risk. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The vulnerability affects the confidentiality, integrity, and availability of affected websites and their users. Patch information is not yet available, so temporary mitigations such as input validation, output encoding, and Content Security Policy (CSP) enforcement are recommended. Monitoring for anomalous script injections and user reports of suspicious behavior is also advised. Organizations should prioritize updating Woostify to a fixed version once released to fully remediate the issue.

The stored XSS vulnerability in Woostify can have significant impacts on organizations worldwide, especially those running WordPress sites with this theme. Attackers can exploit the flaw to execute arbitrary JavaScript in the context of the victim’s browser, leading to session hijacking, theft of sensitive information such as cookies and credentials, unauthorized actions performed on behalf of users, and potential malware distribution. This can result in data breaches, loss of customer trust, reputational damage, and financial losses. E-commerce sites using Woostify are particularly at risk as attackers could manipulate transactions or steal payment information. The persistent nature of stored XSS means the malicious payload can affect multiple users over time, increasing the scope of impact. Additionally, attackers could use the vulnerability to deface websites or disrupt service availability. Since no authentication is required, the attack surface is broad, and automated exploitation is feasible. The absence of known exploits currently provides a window for mitigation, but the risk remains high due to the popularity of WordPress and Woostify in various industries globally.

1. Monitor official duongancol and Woostify channels for security patches and apply updates immediately once a fixed version beyond 2.4.2 is released. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data to prevent malicious script injection. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4. Conduct regular security audits and scanning of WordPress sites using Woostify to detect injected scripts or suspicious content. 5. Limit user privileges on WordPress sites to reduce the risk of unauthorized content injection. 6. Educate site administrators and users about the risks of XSS and encourage vigilance for unusual site behavior or unexpected pop-ups. 7. Use Web Application Firewalls (WAFs) configured to detect and block common XSS attack patterns targeting WordPress themes. 8. Backup site data regularly to enable quick restoration in case of compromise. 9. Review and harden other WordPress plugins and themes to reduce overall attack surface, as chained vulnerabilities can increase risk.