CVE-2025-3077: 
WordPress vulnerability analysis and mitigation

The Betheme WordPress theme contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-3077) discovered on April 16, 2025. The vulnerability affects all versions up to and including 28.0.3 and is present in the plugin's Button shortcode and Custom CSS field. This security issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical root cause is related to improper neutralization of input during web page generation, classified as CWE-79 (NVD CVE).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized data access or manipulation (NVD CVE).

The vulnerability was patched in version 28.0.4 of the Betheme theme. Users are advised to update to this version or later to protect against this security issue (Betheme Changelog).