CVE-2025-23998

CVE-2025-23998 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS, CWE-79), in the UltraLight WordPress theme developed by Rara Theme. The flaw affects UltraLight versions from an unspecified initial release through 1.2, where user input is not properly sanitized during web page generation, enabling malicious script injection.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction such as clicking a malicious link (UI:R). Successful exploitation changes the security scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1. This allows reflected XSS payloads to execute in the victim's browser context, potentially leading to session hijacking, data theft, or further client-side compromise.

Patchstack has documented this issue in their vulnerability database for the UltraLight WordPress theme version 1.2, providing details on the Reflected XSS flaw at https://patchstack.com/database/Wordpress/Theme/the-ultralight/vulnerability/wordpress-ultralight-theme-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version of the theme if available and apply general XSS mitigations like Content Security Policy.