{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25033", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.058Z", "datePublished": "2026-03-25T16:14:38.692Z", "dateUpdated": "2026-03-25T20:23:32.380Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "motta-addons", "product": "Motta Addons", "vendor": "uixthemes", "versions": [{"changes": [{"at": "1.6.1", "status": "unaffected"}], "lessThanOrEqual": "< 1.6.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:20.620Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.<p>This issue affects Motta Addons: from n/a through < 1.6.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.This issue affects Motta Addons: from n/a through < 1.6.1."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.692Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/motta-addons/vulnerability/wordpress-motta-addons-plugin-1-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Motta Addons plugin < 1.6.1 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25033", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:17:30.309169Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:23:32.380Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25033", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:17:30.309169Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:17:31.239Z"}}], "cna": {"title": "WordPress Motta Addons plugin < 1.6.1 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "uixthemes", "product": "Motta Addons", "versions": [{"status": "affected", "changes": [{"at": "1.6.1", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.6.1"}], "packageName": "motta-addons", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:20.620Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/motta-addons/vulnerability/wordpress-motta-addons-plugin-1-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.This issue affects Motta Addons: from n/a through < 1.6.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.<p>This issue affects Motta Addons: from n/a through < 1.6.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.692Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25033", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:23:32.380Z", "dateReserved": "2026-01-28T09:52:08.058Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:38.692Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uixthemes Motta Addons motta-addons allows Reflected XSS.This issue affects Motta Addons: from n/a through < 1.6.1."}], "id": "CVE-2026-25033", "lastModified": "2026-03-25T21:16:33.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:43.103", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/motta-addons/vulnerability/wordpress-motta-addons-plugin-1-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Motta Addons", "source": "cna", "vendor": "uixthemes"}, "product": "motta_addons", "vendor": "uixthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T23:37:45.092210+00:00", "value": {"mitigation_remediation": ["Upgrade the Motta Addons plugin to version 1.6.1 or later.", "Verify that the plugin has been updated by checking the WordPress admin plugin list.", "If a newer version is not yet available, consider disabling the plugin or removing it entirely from the site.", "As a temporary measure, restrict the input that the plugin processes or employ a web\u2011application firewall rule to block suspicious query strings."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Motta Addons plugin for WordPress, produced by uixthemes. All releases prior to version 1.6.1 are affected, meaning any site that has installed the plugin before that update is at risk. The issue is present wherever the plugin renders user\u2011supplied parameters in web pages or admin screens.", "description_and_impact": "A reflected cross\u2011site scripting flaw allows attackers to insert malicious JavaScript into page output through URL or form input. The flaw arises because the plugin fails to neutralize user\u2011supplied data, causing browsers to execute the code in the context of the site or site owner. This can lead to defacement, theft of authentication cookies, or delivery of phishing content. The weakness falls under CWE\u201179, which covers insufficient output encoding.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.1, signifying high severity with medium to high exploitability and significant impact on confidentiality and integrity via client\u2011side code injection. An attacker can exploit it by crafting a URL or query string with malicious payload that the plugin echoes back, which a visitor's browser will execute without filtering. Although an EPSS score is not available, the lack of an official advisory in the CISA KEV catalog suggests fewer known active exploits. Nevertheless, the high severity rating warrants immediate attention."}}}}, "created": "2026-03-25T21:34:11.703190+00:00", "updated": "2026-03-26T12:13:00.376003+00:00", "vendors": ["uixthemes", "uixthemes$PRODUCT$motta_addons", "wordpress", "wordpress$PRODUCT$wordpress"]}