CVE-2025-68077 is a stored Cross-site Scripting (XSS) vulnerability in the Select-Themes Stockholm WordPress theme, identified in versions up to and including 9.14.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently on the server and executed in the context of users visiting the affected site. This type of vulnerability can be exploited when an attacker with at least low-level privileges (PR:L) submits crafted input that is not properly sanitized or encoded before being rendered on the page. The attack requires user interaction (UI:R), such as a victim visiting a maliciously crafted page or content. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and scope change (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes partial loss of confidentiality, integrity, and availability (C:L/I:L/A:L), potentially enabling session hijacking, defacement, or distribution of malware through the compromised site. Although no known exploits are currently reported in the wild, the vulnerability poses a moderate risk due to the widespread use of the Stockholm theme in WordPress sites. The vulnerability was published on December 16, 2025, and no official patches or mitigations have been linked yet, highlighting the need for proactive defensive measures.

For European organizations, especially those operating public-facing websites using the Select-Themes Stockholm theme, this vulnerability can lead to significant security incidents. Attackers exploiting the stored XSS can hijack user sessions, steal sensitive information, or perform unauthorized actions on behalf of users, undermining trust and potentially causing regulatory compliance issues under GDPR. The partial compromise of confidentiality, integrity, and availability can disrupt business operations and damage reputation. E-commerce platforms, government portals, and service providers using this theme are particularly at risk. The requirement for low privileges and user interaction lowers the barrier for exploitation, increasing the threat landscape. Additionally, the scope change in the CVSS vector suggests that the impact could extend beyond the immediate vulnerable component, potentially affecting other integrated systems or user accounts.

1. Monitor Select-Themes official channels and WordPress repositories for patches addressing CVE-2025-68077 and apply updates immediately upon release. 2. Implement strict input validation and output encoding on all user-supplied data, especially in areas where the theme renders dynamic content. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4. Conduct regular security audits and penetration testing focusing on web application vulnerabilities, including XSS. 5. Limit user privileges to the minimum necessary to reduce the risk of low-privilege exploitation. 6. Educate users and administrators about the risks of clicking on untrusted links or interacting with suspicious content. 7. Use Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the Stockholm theme. 8. Review and sanitize all third-party plugins or custom code interacting with the theme to prevent injection vectors.