CVE-2025-26737: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress City Store theme, tracked as CVE-2025-26737. The vulnerability affects versions up to and including 1.4.5 of the City Store theme by yudleethemes. The issue was discovered and publicly disclosed on March 24, 2025, with the initial researcher identified as stealthcopter (WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) that allows DOM-Based XSS attacks. The severity has been assessed with a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the theme's functionality (NVD, Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising user data or facilitating further attacks (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the City Store theme are advised to either upgrade to a newer version when available or consider implementing additional security controls to restrict access to contributor-level accounts (WPScan).