CVE-2025-8143: 
WordPress vulnerability analysis and mitigation

The Soledad theme for WordPress has been identified with a Stored Cross-Site Scripting vulnerability (CVE-2025-8143), affecting all versions up to and including 8.6.7. The vulnerability was discovered and reported by Wordfence on August 16, 2025. The issue specifically involves the 'pcsmlsmartlistsh' parameter, which is susceptible to XSS attacks due to insufficient input sanitization and output escaping (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical classification falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-site Scripting. The vulnerability stems from inadequate input validation and output escaping mechanisms in the theme's handling of the 'pcsmlsmartlistsh' parameter (NVD CVE, Wordfence Intel).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD CVE).

Users of the Soledad WordPress theme should immediately upgrade to a version newer than 8.6.7 if available. Until an update is applied, it is recommended to restrict Contributor access and carefully monitor user permissions to minimize the risk of exploitation (Themeforest Changelog).