Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated reflected XSS requires victim click (UI:R); injected script crosses trust boundary into admin session (S:C) with low C/I/A impact typical of XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions.
AnalysisAI
Reflected/unauthenticated cross-site scripting in the ThemeGoods Grand Car Rental WordPress theme versions 3.7 and earlier lets remote attackers execute arbitrary JavaScript in a victim's browser session after the victim follows a crafted link or visits a malicious page. The flaw carries a CVSS 3.1 base score of 7.1 with scope change, indicating impact beyond the vulnerable component, and no public exploit identified at time of analysis. Disclosure is coordinated through Patchstack and tracked as EUVD-2025-210174.
Technical ContextAI
Grand Car Rental is a commercial WordPress theme published by ThemeGoods (CPE cpe:2.3:a:themegoods:grand_car_rental) targeted at car-rental businesses and shipped with custom booking, search, and listing components. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected or stored into HTML output without proper escaping or contextual encoding. Because the issue is exploitable without authentication, the injection sink is reachable on a public-facing theme endpoint - typically a search parameter, AJAX handler, or shortcode rendered on a front-end page that any visitor can reach. The CVSS scope change (S:C) implies the injected script can cross a trust boundary, which in WordPress XSS typically reflects the ability to act against an authenticated administrator visiting an attacker-controlled URL while logged in.
RemediationAI
No vendor-released patch identified at time of analysis - Patchstack reports the vulnerability against versions ≤3.7 without listing a fixed version, so administrators should monitor the ThemeGoods changelog and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/grandcarrental/vulnerability/wordpress-grand-car-rental-theme-3-7-cross-site-scripting-xss-vulnerability for an updated build and upgrade as soon as one is released. In the interim, deploy a WAF (Patchstack, Wordfence, or equivalent) with virtual-patching rules for this CVE to filter XSS payloads against the theme's endpoints, restrict administrator browsing of untrusted links while logged in, and enforce a strict Content-Security-Policy that disallows inline script and unknown script origins to neutralize reflected payloads - noting CSP may break some theme features and should be tested in staging. Where the theme is non-essential, switching to a maintained alternative is a stronger control than mitigating around an unpatched component.
More in Grand Car Rental
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210174