Impact
WordPress users running the Auto Repair theme version 22.6 or earlier may be exposed to an unauthenticated reflected XSS flaw. The vulnerability permits an attacker to inject malicious script code into web pages that the theme renders, leading to potential cookie theft, session hijacking, or defacement of the site. The weakness stems from improper output encoding and is identified as CWE‑79.
Affected Systems
The flaw affects the WordPress Auto Repair theme provided by VamTam. Any WordPress installation that has the Auto Repair theme installed at version 22.6 or earlier is susceptible; newer versions beyond 22.6 are not impacted.
Risk and Exploitability
The CVSS score for this issue is 7.1, indicating a high severity level. EPSS information is currently unavailable, which means the exploitation probability cannot be quantified at present. This vulnerability is not listed in the CISA KEV catalog. The flaw is unauthenticated, implying that any internet‑accessible attacker can potentially exploit it by crafting a malicious URL or input field that the theme processes without sufficient sanitization. Given the nature of XSS, the risk for compromised users is significant, especially if credentials are stored in the session or if the attacker can force browser execution.
OpenCVE Enrichment