Skip to main content

Grand Car Rental EUVDEUVD-2025-210174

| CVE-2025-69151 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated reflected XSS requires victim click (UI:R); injected script crosses trust boundary into admin session (S:C) with low C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:53 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions.

AnalysisAI

Reflected/unauthenticated cross-site scripting in the ThemeGoods Grand Car Rental WordPress theme versions 3.7 and earlier lets remote attackers execute arbitrary JavaScript in a victim's browser session after the victim follows a crafted link or visits a malicious page. The flaw carries a CVSS 3.1 base score of 7.1 with scope change, indicating impact beyond the vulnerable component, and no public exploit identified at time of analysis. Disclosure is coordinated through Patchstack and tracked as EUVD-2025-210174.

Technical ContextAI

Grand Car Rental is a commercial WordPress theme published by ThemeGoods (CPE cpe:2.3:a:themegoods:grand_car_rental) targeted at car-rental businesses and shipped with custom booking, search, and listing components. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected or stored into HTML output without proper escaping or contextual encoding. Because the issue is exploitable without authentication, the injection sink is reachable on a public-facing theme endpoint - typically a search parameter, AJAX handler, or shortcode rendered on a front-end page that any visitor can reach. The CVSS scope change (S:C) implies the injected script can cross a trust boundary, which in WordPress XSS typically reflects the ability to act against an authenticated administrator visiting an attacker-controlled URL while logged in.

RemediationAI

No vendor-released patch identified at time of analysis - Patchstack reports the vulnerability against versions ≤3.7 without listing a fixed version, so administrators should monitor the ThemeGoods changelog and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/grandcarrental/vulnerability/wordpress-grand-car-rental-theme-3-7-cross-site-scripting-xss-vulnerability for an updated build and upgrade as soon as one is released. In the interim, deploy a WAF (Patchstack, Wordfence, or equivalent) with virtual-patching rules for this CVE to filter XSS payloads against the theme's endpoints, restrict administrator browsing of untrusted links while logged in, and enforce a strict Content-Security-Policy that disallows inline script and unknown script origins to neutralize reflected payloads - noting CSP may break some theme features and should be tested in staging. Where the theme is non-essential, switching to a maintained alternative is a stronger control than mitigating around an unpatched component.

Share

EUVD-2025-210174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy