WordPress Grand Car Rental theme <= 3.7 - Cross Site Scripting (XSS) vulnerability

Vulnerability

An unauthenticated Cross-Site Scripting (XSS) vulnerability exists in the Grand Car Rental WordPress theme, affecting versions 3.7 and earlier. The theme fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary HTML and JavaScript code without requiring authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the vulnerable endpoint without any prior authentication. However, successful execution of the injected script requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link, visiting a specially crafted page, or submitting a form [1]. This user interaction is necessary for the payload to be rendered and executed in the context of the victim's browser.

Impact

If successfully exploited, an attacker can inject malicious scripts that execute when visitors access the affected website. This can lead to various outcomes, including redirecting users to malicious sites, displaying unwanted advertisements, stealing session cookies, or performing actions on behalf of the victim user. The CVSS score for this vulnerability is 7.1, indicating a moderate severity [1].

Mitigation

As of the publication date, the recommended mitigation is to update the Grand Car Rental theme to a version newer than 3.7 if an official patch is available. If an immediate update is not possible, Patchstack has issued a mitigation rule that blocks attacks until an official patch can be tested and applied [1]. Users unable to apply the update or mitigation should consult their hosting provider or web developer for assistance.