Description
Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions.
Published: 2026-06-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw in the WordPress Grand Car Rental theme versions up to 3.7, allowing an attacker to embed arbitrary scripts that run when site visitors load the affected pages. The flaw, classified as CWE-79, means that untrusted input is not properly sanitized before rendering, potentially giving the attacker the ability to steal cookies, deface content, or perform phishing. Because the flaw is unauthenticated, it can be exploited by anyone who can load the vulnerable theme without having to log in.

Affected Systems

The affected system is the Grand Car Rental WordPress theme supplied by ThemeGoods. Any installation of that theme with version 3.7 or earlier is susceptible; newer releases on the theme are presumed fixed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, yet the EPSS score of less than 1% suggests that actual exploitation attempts are currently rare. The issue is not listed in the CISA KEV catalog, which also points to lower immediate threat. The likely attack vector is a client‑side exploitation where an attacker crafts a malicious payload that is embedded into a page rendered by the theme, and disperses it through user visits to the affected site. Attack conditions are minimal: any visitor who loads the vulnerable page will run the injected script, so the risk to site owners is primarily the loss of user trust and possible data theft.

Generated by OpenCVE AI on June 17, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Grand Car Rental theme to the latest version that removes the XSS flaw
  • If an immediate upgrade is not possible, temporarily replace the theme with a non‑vulnerable alternative or disable the theme until a patch is applied
  • Sanitize any user‑generated content that the theme outputs, and consider applying a web‑application firewall to detect and block malicious scripts

Generated by OpenCVE AI on June 17, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods grand Car Rental
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods grand Car Rental
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions.
Title WordPress Grand Car Rental theme <= 3.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Themegoods Grand Car Rental
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:47:15.226Z

Reserved: 2025-12-29T11:19:48.753Z

Link: CVE-2025-69151

cve-icon Vulnrichment

Updated: 2026-06-17T10:47:10.085Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:45:01Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')