Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without auth but requires a victim click (UI:R); scope changes to the admin session yielding limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Auto Repair <= 22.6 versions.
AnalysisAI
Reflected cross-site scripting in the VamTam Auto Repair WordPress theme versions 22.6 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after tricking them into clicking a crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 due to scope change impact on the WordPress admin context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The affected product is the Auto Repair commercial WordPress theme published by VamTam (CPE cpe:2.3:a:vamtam:auto_repair). The vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected back into a rendered page without adequate output encoding or contextual escaping. In a WordPress theme context this typically stems from template files echoing GET/POST parameters (e.g. search terms, shortcode attributes, or AJAX endpoints) directly into HTML without esc_html/esc_attr/wp_kses sanitization. The CVSS scope change (S:C) indicates the injected script can affect a security authority beyond the vulnerable component - generally a logged-in administrator visiting the crafted URL.
RemediationAI
Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should update the Auto Repair theme to the latest version available from VamTam (any release after 22.6) as published at https://patchstack.com/database/wordpress/theme/auto-repair/vulnerability/wordpress-auto-repair-theme-22-6-reflected-cross-site-scripting-xss-vulnerability. If immediate patching is not possible, deploy a WordPress-aware WAF rule (Wordfence, Patchstack mitigation, or Cloudflare managed rules) to block reflected XSS payloads on the vulnerable theme endpoints, restrict /wp-admin access by IP allowlist to reduce the chance of an admin triggering the payload, and instruct administrators not to follow links into their site from untrusted sources until patched - note that WAF rules can produce false positives on legitimate admin input containing HTML-like characters.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37651