CVE-2025-4776
Phlox <= 2.17.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML AttributeThe Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 5,707 live websites that are affected by CVE-2025-4776.
Affected Software
| Product |  Phlox |
| Category | Wordpress Themes |
| Vulnerable Domains | 5,707 live websites (76% of Phlox install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 97 versions ( 99% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jan 6, 2026
- Updated - Jan 6, 2026
Credits
- Craig Smith (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-4776 United States | 1,162 websites |
 Germany | 822 websites |
 Poland | 305 websites |
 Italy | 303 websites |
 Netherlands | 273 websites |
 France | 255 websites |
 Brazil | 220 websites |
 GB | 211 websites |
 India | 169 websites |
 Spain | 151 websites |
Website Distribution by TLD
Number of websites using CVE-2025-4776| .com | 2,194 websites |
| .de | 328 websites |
| .nl | 248 websites |
| .org | 237 websites |
| .pl | 233 websites |
| .it | 223 websites |
| .com.br | 205 websites |
| .net | 136 websites |
| .fr | 123 websites |
| .ru | 115 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-4776
Top websites that are affected by CVE-2025-4776. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.net | Germany | ***,*** | |
| **************.com | United States | ***,*** | |
| ************.**.uk | GB | ***,*** | |
| **********************.com | Germany | ***,*** | |
| *****.com | Germany | ***,*** | |
| *************.com | United States | ***,*** | |
| *************.com | United States | ***,*** | |
| ********.net | GB | ***,*** | |
| **********.**.uk | GB | ***,*** | |
| *******.pl | Poland | ***,*** |
FAQ
CVE-2025-4776 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Phlox
A total of 5,707 websites have been identified as vulnerable to CVE-2025-4776, based on global website indexing conducted by WebTechSurvey.
The Phlox is affected by the CVE-2025-4776 vulnerability.
Phlox versions up to and including 2.17.7 are vulnerable to CVE-2025-4776.