CVE-2025-15654: Fox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
CVE-2025-15654 is a reflected cross-site scripting (XSS) vulnerability in Fox-themes Prague versions 2.2.8 and earlier. An attacker can craft a malicious URL containing unsanitized input that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the vulnerable application. This allows the attacker to steal session cookies, perform actions on behalf of the victim, or redirect them to phishing sites—all without modifying the application itself.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fox-themes Prague allows Reflected XSS. This issue affects Prague: from n/a through 2.2.8.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The Prague theme fails to properly neutralize user-supplied input before rendering it into web pages, specifically in reflected XSS scenarios. The vulnerability stems from inadequate input validation and output encoding (CWE-79), allowing attackers to inject malicious scripts that execute in the victim's browser. The CVSS 3.1 score of 7.1 (HIGH) reflects that exploitation requires user interaction (a victim must click a malicious link) and network access, but carries meaningful impact across confidentiality, integrity, and availability once triggered. The attack vector is network-based with low complexity, meaning no special privileges or advanced techniques are required.
Business impact
Reflected XSS in a widely-used WordPress theme can undermine user trust and expose both site administrators and visitors to credential theft, malware distribution, and unauthorized account access. Organizations relying on Prague may face reputational damage, compliance violations (especially under GDPR or CCPA if user data is exfiltrated), and operational disruption. Attackers can use compromised sessions to modify site content, install backdoors, or pivot to backend systems. The requirement for user interaction lowers immediate risk somewhat, but social engineering can reliably deliver malicious links to targets.
Affected systems
Fox-themes Prague theme versions up to and including 2.2.8 are affected. This includes all earlier versions, as the advisory specifies the range from n/a (earliest tracked) through 2.2.8. Organizations and individuals running Prague on WordPress sites should assume they are vulnerable unless already patched to a version released after 2.2.8.
Exploitability
Exploitation is straightforward and requires only a crafted URL. An attacker creates a link containing malicious JavaScript and distributes it via email, comments, or social media. When a logged-in user or administrator clicks the link while browsing the vulnerable site, the script executes in their browser with their session privileges. No authentication, local access, or user installation is needed; the vulnerability is remotely exploitable from the network. However, the attack requires user interaction—victims must be tricked into clicking—which provides a marginal control opportunity.
Remediation
Update Prague to the first patched version released after 2.2.8. Verify the exact version number in the vendor advisory or security notice from Fox-themes. Organizations should also audit recent access logs and session activity for signs of exploitation, enforce strong session management practices, and consider implementing Web Application Firewalls (WAF) rules to block common XSS payloads during the update window.
Patch guidance
Check Fox-themes' official release notes and security advisories for the patch version that addresses this vulnerability. Apply the update immediately to all affected Prague installations. Before deploying, test in a staging environment to ensure compatibility with custom plugins and configurations. Monitor theme update notifications and subscribe to security mailing lists to catch future issues promptly.
Detection guidance
Monitor web server logs and WAF alerts for HTTP requests containing common XSS patterns (e.g., script tags, event handlers like 'onerror=' or 'onclick=') in URL parameters and referrer headers. Check user access logs for suspicious activity following XSS-like requests. Review browser security logs for console warnings about script execution. Implement log aggregation and alerting for requests matching known XSS signatures. WordPress security plugins can also scan for malicious JavaScript injected into posts or themes.
Why prioritize this
This vulnerability merits expedited patching because it affects a theme component that handles web requests from the public internet, requires no special privileges to exploit, and can compromise user sessions and site integrity. The HIGH CVSS score (7.1) reflects meaningful confidentiality and integrity impact. While user interaction is required, the ease of crafting phishing links makes this a realistic and frequent attack vector. Organizations with public-facing Prague installations should prioritize updates immediately.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects a HIGH-severity issue because: (1) Attack Vector is Network, meaning remote exploitation is trivial; (2) Attack Complexity is Low, so no special conditions are needed; (3) Privileges Required is None—any attacker on the internet can craft the exploit; (4) User Interaction is Required, which reduces the score but does not eliminate it, as phishing is effective; (5) the Scope is Changed, amplifying impact beyond the vulnerable component; and (6) Confidentiality, Integrity, and Availability are all impacted at the Low level, reflecting session theft and malicious action potential. The combination yields HIGH severity rather than CRITICAL because of the user interaction prerequisite.
Frequently asked questions
Does this vulnerability require the website to be publicly accessible?
Yes. Reflected XSS is exploited by sending a malicious URL to users. If the vulnerable Prague site is not publicly accessible, the attack surface is limited to internal users who can be socially engineered. However, most WordPress sites are public, making this a practical concern.
Can our WAF block this attack while we patch?
A Web Application Firewall can reduce risk by detecting and blocking common XSS payloads in requests. However, WAF rules are not foolproof—attackers can obfuscate payloads. A WAF is a temporary control, not a substitute for patching. Update Prague as soon as possible.
What if we don't use Prague—are we affected?
No. This vulnerability is specific to the Fox-themes Prague theme. If your site uses a different theme, you are not affected by this CVE. Verify your theme name in the WordPress admin dashboard or site source code.
Should we reset all user passwords after patching?
It depends on whether you have evidence of exploitation. Review logs for suspicious XSS requests. If found, consider forcing password resets and auditing account activity. If no evidence exists, standard password policies and monitoring are sufficient. Always document and communicate any reset to users transparently.
This analysis is provided for informational purposes and reflects publicly available CVE data as of the publication date. Patch versions and specific remediation steps should be verified against the official Fox-themes security advisory and vendor documentation. SEC.co does not provide legal or compliance advice. Organizations must conduct their own risk assessment and patch testing in alignment with their security policies and regulatory obligations. No exploit code or proof-of-concept is provided in this document. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-33245HIGHReact Router 7.7.0-7.13.1 RSC XSS Vulnerability – Patch Available