{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67618", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-09T16:46:41.863Z", "datePublished": "2026-03-19T08:31:39.918Z", "dateUpdated": "2026-04-28T16:14:22.615Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Brookside", "vendor": "ArtstudioWorks", "versions": [{"lessThanOrEqual": "1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.<p>This issue affects Brookside: from n/a through 1.4.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:22.615Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/theme/brookside/vulnerability/wordpress-brookside-theme-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Brookside theme <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:51:31.190030Z", "id": "CVE-2025-67618", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:52:09.469Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:51:31.190030Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:51:58.831Z"}}], "cna": {"title": "WordPress Brookside theme <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ArtstudioWorks", "product": "Brookside", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/brookside/vulnerability/wordpress-brookside-theme-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.<p>This issue affects Brookside: from n/a through 1.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:31:39.918Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67618", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:52:09.469Z", "dateReserved": "2025-12-09T16:46:41.863Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:31:39.918Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en ArtstudioWorks Brookside permite XSS Reflejado. Este problema afecta a Brookside: desde n/a hasta 1.4."}], "id": "CVE-2025-67618", "lastModified": "2026-04-28T19:35:38.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:16.587", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/theme/brookside/vulnerability/wordpress-brookside-theme-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Brookside", "source": "cna", "vendor": "ArtstudioWorks"}, "product": "brookside", "vendor": "artstudioworks"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:16:25.419836+00:00", "value": {"mitigation_remediation": ["Apply the latest Brookside theme version that is newer than 1.4 to remove the XSS flaw.", "Review all theme templates for unsanitized output and apply proper escaping or sanitization to any user\u2011supplied data.", "Run an XSS scanning tool such as OWASP ZAP or Burp Suite on the site to verify that no reflected input remains vulnerable and monitor for future regressions."], "summary": {"action": "Patch Theme", "impact": "Cross\u2011Site Scripting (client\u2011side execution)"}, "threat_synthesis": {"affected_systems": "ArtstudioWorks Brookside theme is affected for all released versions from the first available version up through 1.4. No specific patch version is listed; therefore, any deployment of Brookside <= 1.4 is considered vulnerable.", "description_and_impact": "The ArtstudioWorks Brookside theme is vulnerable to an improper neutralization of input during web page generation that results in reflected cross\u2011site scripting (CWE\u201179). When a user supplies crafted data that the theme echoes back without adequate encoding, an attacker can inject arbitrary JavaScript into the victim\u2019s browser. This enables information theft (such as session cookies), phishing, or execution of malicious scripts in the context of the site\u2019s domain. The impact is limited to the web pages rendered by the vulnerable theme and does not grant server\u2011side access.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity level for a reflected XSS vulnerability. Exploitability is likely high because the flaw can be triggered by any user visiting a crafted URL or interacting with a reflected form field. The EPSS score is < 1%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can generally exploit this flaw by simply visiting a malicious URL; no elevated privileges or authentication are required."}}}}, "created": "2026-03-20T08:57:07.558543+00:00", "updated": "2026-04-28T22:30:41.594546+00:00", "vendors": ["artstudioworks", "artstudioworks$PRODUCT$brookside", "wordpress", "wordpress$PRODUCT$wordpress"]}