CVE-2025-62036: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was identified in the Togo WordPress theme, specifically affecting versions prior to 1.0.4. The vulnerability was discovered by Tran Nguyen Bao Khanh from VCI - VNPT Cyber Immunity and was publicly disclosed on October 11, 2025. This security issue is tracked as CVE-2025-62036 and involves improper neutralization of input during web page generation (Patchstack).

The vulnerability has been assigned a CVSS 3.1 base score of 7.1 (High) with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site, potentially compromising the security and integrity of the website and its users (Patchstack).

The vulnerability has been patched in version 1.0.4 of the Togo theme. Users are advised to update to version 1.0.4 or later immediately to resolve the vulnerability. Additionally, Patchstack has issued a mitigation rule to block any attacks until users can update to the fixed version (Patchstack).