CVE-2025-1798: 
WordPress vulnerability analysis and mitigation

The Design Comuni Italia WordPress theme versions prior to 1.1.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists because the theme does not properly sanitize and escape certain parameters when outputting them back in a page, allowing unauthenticated users to perform stored Cross-Site Scripting attacks (WPScan, NVD).

The vulnerability allows unauthenticated users to inject malicious scripts through parameters that are later displayed without proper sanitization. An attacker can exploit this by sending a post request to admin-ajax.php with specially crafted parameters including 'action', 'title', 'star', 'radioResponse', and 'freeText'. The CVSS score for this vulnerability is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (WPScan).

When successfully exploited, this vulnerability allows attackers to inject and execute arbitrary JavaScript code in users' browsers. This could lead to various attacks including session hijacking, data theft, or other malicious actions when administrators view the affected pages (WPScan).

The vulnerability has been fixed in version 1.1.2 of the Design Comuni Italia WordPress theme. Users are strongly advised to update to this version or later to address the security issue (WPScan).