Scan free
HIGHCVE-2025-69096CVSS 7.1

CVE-2025-69096: Reflected XSS in Zorka WordPress Theme

Platform

wordpress

Component

zorka

Fixed in

1.5.8

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-69096 describes a Reflected Cross-Site Scripting (XSS) vulnerability within the Zorka WordPress theme. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability impacts versions of Zorka from 0.0.0 through 1.5.7, and a patch is expected to be released by the theme developer.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this Reflected XSS vulnerability is significant. An attacker could craft a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, with the same privileges as the user. This could allow an attacker to steal session cookies, redirect users to phishing sites, or even modify the content of the website. The blast radius extends to all users who visit pages affected by the vulnerability, making it a high-priority concern for Zorka theme users. Successful exploitation could lead to complete account compromise and potential data breaches.

Exploitation Context

CVE-2025-69096 was published on 2026-03-25. As of this date, there are no publicly known Proof-of-Concept (PoC) exploits. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium, given the ease of exploiting reflected XSS vulnerabilities once a suitable attack vector is identified.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentzorka
Vendorwordfence
Affected rangeFixed in
0 – 1.5.71.5.8

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 60 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-69096 is to upgrade to a patched version of the Zorka WordPress theme. Until a patch is available, consider implementing temporary workarounds. Input validation and output encoding on user-supplied data within the theme can help prevent XSS attacks. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor web server access logs for suspicious URL patterns containing JavaScript code.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-69096 — Reflected XSS in Zorka WordPress Theme?

CVE-2025-69096 is a Reflected XSS vulnerability in the Zorka WordPress theme, allowing attackers to inject malicious scripts. It affects versions 0.0.0–1.5.7 and poses a significant security risk.

Am I affected by CVE-2025-69096 in Zorka WordPress Theme?

If you are using the Zorka WordPress theme and your version is between 0.0.0 and 1.5.7 (inclusive), you are potentially affected by this vulnerability. Check your theme version immediately.

How do I fix CVE-2025-69096 in Zorka WordPress Theme?

The recommended fix is to upgrade to a patched version of the Zorka WordPress theme. Monitor the theme developer's website for updates and apply them as soon as they become available.

Is CVE-2025-69096 being actively exploited?

As of the current date, there are no confirmed reports of active exploitation of CVE-2025-69096. However, the vulnerability is publicly known, and exploitation is possible.

Where can I find the official Zorka advisory for CVE-2025-69096?

Refer to the Zorka theme developer's website or WordPress plugin repository for the official advisory and patch information regarding CVE-2025-69096.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs