Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.This issue affects WP eMember: from n/a through <= v10.2.2.
Published: 2026-03-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Scripting
Action: Patch Now
AI Analysis

Impact

This vulnerability is an Improper Neutralization of Input During Web Page Generation (XSS) flaw that allows attackers to inject malicious JavaScript into web pages rendered by the WP eMember theme. The software fails to properly escape user controlled data, enabling reflected XSS. When an attacker supplies crafted input (for example through URL parameters, form fields, or other input vectors), the malicious script is executed in the victim’s browser with the privileges of the site’s users, potentially leading to session hijacking, phishing, or defacement.

Affected Systems

The WP eMember theme from Tips and Tricks HQ is affected in all releases up to and including version 10.2.2. Any WordPress installation using a version labeled 10.2.2 or earlier is vulnerable. Versions newer than 10.2.2 are not impacted according to the available information.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity of this reflected XSS. Exploitation requires that an attacker can influence input that is reflected in a response, likely via crafted URLs or inputs on the front‑end. No EPSS score is reported, and the vulnerability is not listed in the KEV catalog, suggesting it is not a widely known exploit yet. However the high severity and the ease of exploiting reflected XSS make this a significant risk for any exposed users. The attack vector is assumed to be remote through a web request that carries the malicious input, as is typical for reflected XSS scenarios.

Generated by OpenCVE AI on March 19, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP eMember theme to version 10.2.3 or later once the vendor releases a patch.
  • If an upgrade is not immediately possible, validate and sanitize all user input on the front‑end before rendering it in a page, and disable or escape any places where user data can be reflected directly.
  • Apply a web application firewall rule that blocks requests containing common XSS payloads such as <script> tags or event handler attributes.
  • Monitor site logs for repeated attempts at injecting unexpected query parameters or form data, and block repeat offenders if necessary.

Generated by OpenCVE AI on March 19, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.This issue affects WP eMember: from n/a through <= v10.2.2.
References

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress
Vendors & Products Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2.
Title WordPress WP eMember theme <= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Tipsandtricks-hq Wp Emember
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:11.238Z

Reserved: 2026-02-25T12:13:47.059Z

Link: CVE-2026-28073

cve-icon Vulnrichment

Updated: 2026-03-19T13:57:40.944Z

cve-icon NVD

Status : Deferred

Published: 2026-03-19T06:16:26.550

Modified: 2026-04-23T15:37:22.690

Link: CVE-2026-28073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:25Z

Weaknesses