CVE-2025-63072 is a stored Cross-site Scripting (XSS) vulnerability identified in THEMECO's Cornerstone product, a popular WordPress page builder theme. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the application. When a victim accesses a compromised page, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, unauthorized actions, or website defacement. The affected versions include all releases up to and including 7.7.3, with no specific earliest version identified. The vulnerability does not require authentication or user interaction beyond visiting the infected page, increasing its risk profile. Although no public exploits have been reported yet, the nature of stored XSS vulnerabilities makes them attractive targets for attackers due to their persistence and broad impact. The lack of a CVSS score indicates that the vulnerability is newly disclosed and pending further analysis. The vulnerability was reserved in late October 2025 and published in early December 2025, suggesting recent discovery. The absence of vendor patches at the time of disclosure highlights the need for rapid response once updates are available. Stored XSS in a widely used theme like Cornerstone can affect numerous websites, especially those in Europe where WordPress adoption is significant. Attackers could leverage this vulnerability to compromise user data, spread malware, or conduct phishing campaigns by injecting malicious content into trusted sites.

For European organizations, this vulnerability poses a substantial risk to web-facing assets that utilize THEMECO Cornerstone for content management or website building. Exploitation can lead to unauthorized access to user sessions, theft of sensitive information such as login credentials or personal data, and potential defacement or manipulation of website content. This can damage organizational reputation, lead to regulatory non-compliance under GDPR due to data breaches, and disrupt business operations. The persistent nature of stored XSS means that once exploited, the malicious payload can affect all visitors to the compromised site, amplifying the impact. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network or to distribute malware to site visitors. Given the widespread use of WordPress and Cornerstone in Europe, especially among SMEs and enterprises relying on web presence, the threat is significant. The lack of known exploits currently provides a window for proactive mitigation, but the risk of rapid exploitation remains high once public exploit code emerges.

Organizations should immediately inventory their web assets to identify any use of THEMECO Cornerstone up to version 7.7.3. Until a vendor patch is released, implement Web Application Firewall (WAF) rules to detect and block typical XSS payload patterns targeting Cornerstone endpoints. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Conduct thorough input validation and output encoding on all user-supplied data within custom code or plugins that interact with Cornerstone. Monitor web server logs and user reports for signs of suspicious script injections or unusual behavior. Once THEMECO releases a security update, prioritize patching affected systems promptly. Additionally, educate website administrators and content editors about the risks of injecting untrusted content and enforce least privilege principles for content management roles. Regular security scanning and penetration testing focused on XSS vulnerabilities can help detect residual issues. Finally, maintain updated backups of website data to enable rapid recovery if compromise occurs.