Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2.
Published: 2026-03-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Scripting
Action: Patch Now
AI Analysis

Impact

This flaw is an Improper Neutralization of Input During Web Page Generation (XSS) vulnerability affecting the Tips and Tricks HQ WP eMember theme. The lack of input sanitization allows reflected cross‑site scripting in responses rendered by the theme, permitting attackers to inject malicious JavaScript. By supplying crafted input – for example via URL parameters or form fields – the script is executed in the victim’s browser with the permissions of the site’s user, which can lead to session hijacking, phishing, or defacement.

Affected Systems

The WP eMember theme from Tips and Tricks HQ is affected in all releases up to and including version 10.2.2. Any WordPress installation using a version labeled 10.2.2 or earlier is vulnerable. Versions newer than 10.2.2 are not impacted according to the available information.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity of this reflected XSS. Exploitation requires that an attacker can influence input that is reflected in a response, likely via crafted URLs or inputs on the front-end. The EPSS score is < 1%, indicating a very low but non-zero probability of exploitation, and the vulnerability is not listed in the KEV catalog, suggesting it is not a widely known exploit yet. However the high severity and the ease of exploiting reflected XSS make this a significant risk for any exposed users. The attack vector is assumed to be remote through a web request that carries the malicious input, as is typical for reflected XSS scenarios.

Generated by OpenCVE AI on April 28, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP eMember theme to version 10.2.3 or later once the vendor releases a patch.
  • If an upgrade is not immediately possible, validate and sanitize all user input on the front‑end before rendering it in a page, and disable or escape any places where user data can be reflected directly.
  • Apply a web application firewall rule that blocks requests containing common XSS payloads such as <script> tags or event handler attributes.
  • Monitor site logs for repeated attempts at injecting unexpected query parameters or form data, and block repeat offenders if necessary.

Generated by OpenCVE AI on April 28, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.This issue affects WP eMember: from n/a through <= v10.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2.
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.This issue affects WP eMember: from n/a through <= v10.2.2.
References

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress
Vendors & Products Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2.
Title WordPress WP eMember theme <= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Tipsandtricks-hq Wp Emember
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:06.683Z

Reserved: 2026-02-25T12:13:47.059Z

Link: CVE-2026-28073

cve-icon Vulnrichment

Updated: 2026-03-19T13:57:40.944Z

cve-icon NVD

Status : Deferred

Published: 2026-03-19T06:16:26.550

Modified: 2026-04-28T19:37:26.453

Link: CVE-2026-28073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:30:41Z

Weaknesses