Skip to main content

Auto Repair Theme EUVDEUVD-2026-37651

| CVE-2026-22328 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without auth but requires a victim click (UI:R); scope changes to the admin session yielding limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:34 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Auto Repair <= 22.6 versions.

AnalysisAI

Reflected cross-site scripting in the VamTam Auto Repair WordPress theme versions 22.6 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after tricking them into clicking a crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 due to scope change impact on the WordPress admin context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected product is the Auto Repair commercial WordPress theme published by VamTam (CPE cpe:2.3:a:vamtam:auto_repair). The vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is reflected back into a rendered page without adequate output encoding or contextual escaping. In a WordPress theme context this typically stems from template files echoing GET/POST parameters (e.g. search terms, shortcode attributes, or AJAX endpoints) directly into HTML without esc_html/esc_attr/wp_kses sanitization. The CVSS scope change (S:C) indicates the injected script can affect a security authority beyond the vulnerable component - generally a logged-in administrator visiting the crafted URL.

RemediationAI

Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should update the Auto Repair theme to the latest version available from VamTam (any release after 22.6) as published at https://patchstack.com/database/wordpress/theme/auto-repair/vulnerability/wordpress-auto-repair-theme-22-6-reflected-cross-site-scripting-xss-vulnerability. If immediate patching is not possible, deploy a WordPress-aware WAF rule (Wordfence, Patchstack mitigation, or Cloudflare managed rules) to block reflected XSS payloads on the vulnerable theme endpoints, restrict /wp-admin access by IP allowlist to reduce the chance of an admin triggering the payload, and instruct administrators not to follow links into their site from untrusted sources until patched - note that WAF rules can produce false positives on legitimate admin input containing HTML-like characters.

Share

EUVD-2026-37651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy