Description
Unauthenticated Cross Site Scripting (XSS) in Auto Repair <= 22.6 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress users running the Auto Repair theme version 22.6 or earlier may be exposed to an unauthenticated reflected XSS flaw. The vulnerability permits an attacker to inject malicious script code into web pages that the theme renders, leading to potential cookie theft, session hijacking, or defacement of the site. The weakness stems from improper output encoding and is identified as CWE‑79.

Affected Systems

The flaw affects the WordPress Auto Repair theme provided by VamTam. Any WordPress installation that has the Auto Repair theme installed at version 22.6 or earlier is susceptible; newer versions beyond 22.6 are not impacted.

Risk and Exploitability

The CVSS score for this issue is 7.1, indicating a high severity level. EPSS information is currently unavailable, which means the exploitation probability cannot be quantified at present. This vulnerability is not listed in the CISA KEV catalog. The flaw is unauthenticated, implying that any internet‑accessible attacker can potentially exploit it by crafting a malicious URL or input field that the theme processes without sufficient sanitization. Given the nature of XSS, the risk for compromised users is significant, especially if credentials are stored in the session or if the attacker can force browser execution.

Generated by OpenCVE AI on June 18, 2026 at 12:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Auto Repair theme to a version newer than 22.6 to remove the reflected XSS code path.
  • If an immediate upgrade is not practical, limit the content accepted by the theme’s input fields and apply strict output encoding or sanitization to prevent script injection.
  • Deploy a web application firewall or a content security policy that blocks or reports suspicious script payloads targeting the theme.

Generated by OpenCVE AI on June 18, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Vamtam
Vamtam auto Repair
Wordpress
Wordpress wordpress
Vendors & Products Vamtam
Vamtam auto Repair
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Auto Repair <= 22.6 versions.
Title WordPress Auto Repair theme <= 22.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Vamtam Auto Repair
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:24:20.365Z

Reserved: 2026-01-07T12:21:02.765Z

Link: CVE-2026-22328

cve-icon Vulnrichment

Updated: 2026-06-17T14:24:15.961Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:40Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')