Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference grandconference allows Reflected XSS.This issue affects Grand Conference: from n/a through <= 5.3.4.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

This vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows attackers to inject malicious JavaScript into a page that is displayed to a user. The flaw is identified as a reflected XSS and is categorized under CWE‑79. A successful exploit could let an attacker execute arbitrary scripts in the context of a visitor’s browser, potentially compromising user sessions, defacing the site, or redirecting users to malicious destinations.

Affected Systems

The Grand Conference theme from ThemeGoods, versions up to and including 5.3.4, are affected. No additional vendor or product versions are listed, so any site running the theme at or below 5.3.4 should be considered vulnerable.

Risk and Exploitability

The publicly available CVSS score is 7.1, indicating a high‑severity impact. The EPSS score is less than 1%, suggesting a very low probability of exploitation in the wild at the time of this analysis, and the vulnerability is not currently listed in CISA’s KEV catalog. The most likely attack vector is untrusted user‑supplied data that the theme reflects back in the rendered page, as is typical with reflected XSS. An attacker would need to trick a victim into visiting a crafted URL or submitting malicious input that the theme processes and displays without proper sanitization.

Generated by OpenCVE AI on April 16, 2026 at 00:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ThemeGoods Grand Conference to a version newer than 5.3.4, ensuring the XSS fix is applied.
  • If an update cannot be performed immediately, configure or install a content‑security policy that restricts inline scripts and disallows execution from unknown sources.
  • Conduct a full review of the site for other potential XSS or input validation issues and use a trusted security scanning tool to verify the patch’s effectiveness.

Generated by OpenCVE AI on April 16, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods grand Conference
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods grand Conference
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference grandconference allows Reflected XSS.This issue affects Grand Conference: from n/a through <= 5.3.4.
Title WordPress Grand Conference theme <= 5.3.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themegoods Grand Conference
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:31.587Z

Reserved: 2026-01-28T09:50:05.801Z

Link: CVE-2026-24943

cve-icon Vulnrichment

Updated: 2026-02-23T21:22:37.244Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:38.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses