CVE-2025-52799: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability has been identified in designthemes LMS WordPress theme versions up to 9.1. The vulnerability was discovered by Frank and was publicly disclosed on June 23, 2025. This reflected XSS vulnerability affects unauthenticated users and has been assigned CVE-2025-52799 (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts into the website, which would be executed when visitors access the affected pages. These scripts could potentially be used to redirect users, inject unwanted advertisements, or execute other malicious HTML payloads (Patchstack).

Currently, there is no official fix available from the theme developer. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website owners are advised to implement the mitigation immediately (Patchstack).