CVE-2025-68978 is a DOM-based Cross-site Scripting (XSS) vulnerability found in the designthemes DesignThemes Core product, specifically affecting versions up to and including 1.6. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious actors to inject and execute arbitrary JavaScript code within the victim’s browser environment. Unlike traditional reflected or stored XSS, DOM-based XSS occurs entirely on the client side, where the manipulation of the Document Object Model (DOM) leads to script execution without server-side input validation failures. The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), does not require privileges (PR:N), but does require user interaction (UI:R), such as clicking a malicious link or visiting a crafted webpage. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, potentially impacting the entire web application context. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N), allowing attackers to steal sensitive information like session tokens or manipulate client-side logic. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability was published on December 30, 2025, and is tracked under CVE-2025-68978 with a CVSS v3.1 base score of 6.1, categorized as medium severity.

For European organizations, this vulnerability poses a risk primarily to web applications using the DesignThemes Core framework, which may be part of content management systems, e-commerce platforms, or corporate websites. Successful exploitation can lead to theft of session cookies, user credentials, or other sensitive data, enabling account takeover or unauthorized actions on behalf of users. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to data exposure), and cause financial losses. Since the attack requires user interaction, phishing or social engineering campaigns could be used to lure victims. The medium severity indicates a moderate risk, but the scope change implies that multiple components or domains could be affected, increasing the potential impact. European organizations with high web traffic or customer-facing portals are particularly at risk, especially if they have not updated or patched their DesignThemes Core installations. The lack of known exploits in the wild reduces immediate risk but should not lead to complacency.

1. Apply patches or updates from designthemes as soon as they become available to address the vulnerability directly. 2. Implement strict input validation and sanitization on all user-controllable inputs, especially those reflected in the DOM. 3. Employ Content Security Policy (CSP) headers to restrict the execution of untrusted scripts and reduce the impact of XSS attacks. 4. Use frameworks or libraries that automatically encode or escape output to prevent injection of malicious scripts. 5. Educate users and employees about the risks of clicking on suspicious links or visiting untrusted websites to reduce the likelihood of successful exploitation. 6. Conduct regular security assessments and penetration testing focusing on client-side vulnerabilities. 7. Monitor web application logs and user reports for signs of suspicious activity that might indicate exploitation attempts. 8. Consider implementing web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the DesignThemes Core.