Impact
The vulnerability is an unauthenticated Cross Site Scripting flaw in the NativeChurch WordPress theme versions 4.8.8.2 and earlier. By injecting malicious script code into reflected input, an attacker can execute arbitrary code on the victim’s browser, potentially subverting the site’s content, hijacking sessions or redirecting users. The flaw is classified as CWE‑79 due to failure to properly escape user-supplied data during output.
Affected Systems
The affected product is the NativeChurch theme developed by iThemes. Versions 4.8.8.2 and older are vulnerable; newer releases of the theme have the issue addressed.
Risk and Exploitability
The CVSS score of 7.1 indicates a high potential for impact. Because the attack does not require authentication and depends only on a crafted URL, it is readily exploitable. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, so no known widespread exploits are reported. Nevertheless, the straightforward exploitation path makes it a priority for remediation.
OpenCVE Enrichment