CVE-2025-67918
WordPress Woffice theme <= 5.4.30 - Cross Site Scripting (XSS) vulnerabilityImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30.
We have discovered 356 live websites that are affected by CVE-2025-67918.
Affected Software
| Product | |
| Category | Wordpress Themes |
| Vulnerable Domains | 356 live websites (100% of Woffice install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 30 versions ( 91% of all versions) |
Details
- Published - Jan 8, 2026
- Updated - Jan 20, 2026
Credits
- Rafie Muhammad (Patchstack) (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2025-67918 United States | 109 websites |
 France | 38 websites |
 Germany | 29 websites |
 Netherlands | 26 websites |
 Portugal | 22 websites |
 Australia | 19 websites |
 Spain | 16 websites |
 GB | 14 websites |
 Italy | 11 websites |
 Brazil | 9 websites |
Website Distribution by TLD
Number of websites using CVE-2025-67918| .com | 118 websites |
| .org | 31 websites |
| .fr | 16 websites |
| .com.au | 16 websites |
| .de | 16 websites |
| .net | 13 websites |
| .nl | 13 websites |
| .eu | 10 websites |
| .es | 9 websites |
| .ru | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-67918
Top websites that are affected by CVE-2025-67918. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | Italy | ***,*** | |
| ********.**********.com | GB | ***,*** | |
| *****.*******.com | France | ***,*** | |
| ***************.de | Germany | ***,*** | |
| *******.pt | Portugal | ***,*** | |
| ********.org | United States | ***,*** | |
| **.**************.pt | Portugal | *,***,*** | |
| **********.com | United States | *,***,*** | |
| *****.***.br | Brazil | *,***,*** | |
| ****.*********.it | Italy | *,***,*** |