CVE-2025-8143: 
WordPress vulnerability analysis and mitigation

The Soledad theme for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8143) discovered and reported by Wordfence on August 16, 2025. The vulnerability affects all versions up to and including 8.6.7 of the theme. This security issue is present in the 'pcsmlsmartlistsh' parameter due to insufficient input sanitization and output escaping (NVD, AttackerKB).

The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium severity) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical assessment indicates that the vulnerability has a network attack vector, low attack complexity, requires low privileges, needs no user interaction, has changed scope, and can impact both confidentiality and integrity at a low level, with no impact on availability (Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD).

Users should upgrade their Soledad WordPress theme to a version newer than 8.6.7 when available. In the meantime, it is recommended to restrict access to contributor-level accounts and monitor for suspicious activities (Wordfence).