Impact
The Grand Magazine theme contains a reflected XSS flaw. Unsanitized user input is injected into a rendered page, enabling an attacker to execute arbitrary script in the browser context of any visitor who clicks a crafted link. This can result in cookie theft, session hijacking, defacement or malicious redirects, compromising confidentiality and integrity of sites that rely on the theme.
Affected Systems
The vulnerability affects ThemeGoods Grand Magazine WordPress theme versions up to and including 3.5.7. Any WordPress installation running one of those releases, without the exploitation of a different theme or plugin, is susceptible. The flaw resides in the theme's front‑end code that processes query parameters or other user input.
Risk and Exploitability
The CVSS score of 7.1 classifies the issue as high severity, but the EPSS score of less than 1 % indicates that, at the time of assessment, the likelihood of a real‑world exploit is low. The flaw is not listed in CISA's KEV catalog. The likely attack vector is reflected XSS, which can be triggered without authentication by sending a malicious URL to a victim or embedding it in a link. Escalating to full site compromise would require additional conditions, such as the user granting the theme or site permission to run scripts.
OpenCVE Enrichment