Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting that may execute arbitrary script in a victim’s browser, enabling session hijacking or malicious actions
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the CarSpot WordPress theme prior to version 2.4.6. Improperly filtered input is reflected back into the generated web page, allowing an attacker to embed arbitrary client‑side code when a user follows a crafted link or enters data that is later displayed. If exploited, the attacker can steal user data, hijack sessions, or perform other malicious actions directly within the victim’s browser.

Affected Systems

All WordPress installations that use scriptsbundle CarSpot theme versions older than 2.4.6 are susceptible. The vulnerability applies to every release from the theme’s earliest available build up through 2.4.5 inclusive.

Risk and Exploitability

The CVSS score of 7.1 classifies the flaw as high severity. The current EPSS score is below 1 %, indicating a low probability of exploitation at present. The vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. The likely attack vector would involve a remote user delivering a specially crafted URL or input to a vulnerable site, exploiting the reflected XSS to inject scripts into the victim’s browser.

Generated by OpenCVE AI on April 28, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CarSpot theme to version 2.4.6 or later, which removes the input sanitization flaw
  • If an upgrade is not immediately possible, add client‑side escaping to all output that incorporates user input, using functions such as wp_kses or esc_html to neutralize scripts
  • After implementing a fix or workaround, monitor site activity for signs of injected scripts or unauthorized redirects to ensure the vulnerability has been effectively mitigated.

Generated by OpenCVE AI on April 28, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Scriptsbundle
Scriptsbundle carspot
Wordpress
Wordpress wordpress
Vendors & Products Scriptsbundle
Scriptsbundle carspot
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6.
Title WordPress CarSpot theme < 2.4.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Scriptsbundle Carspot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:37.310Z

Reserved: 2025-12-31T20:12:13.401Z

Link: CVE-2025-69317

cve-icon Vulnrichment

Updated: 2026-01-23T21:16:43.063Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:27.463

Modified: 2026-04-27T21:16:23.907

Link: CVE-2025-69317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses