CVE-2026-24943

The Grand Conference WordPress theme by ThemeGoods is vulnerable to a reflected cross-site scripting (XSS) attack due to improper neutralization of user-supplied input during web page generation. This flaw affects all versions up to and including 5.3.4, and has been assigned a CVSS v3 score of 7.1 (High) [1].

Exploitation requires user interaction, such as clicking a specially crafted link or visiting a maliciously prepared page. An attacker does not need authentication to deliver the payload, but the victim must perform an action for the script to execute. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the victim's browser. This can be used to perform redirects, display advertisements, steal session cookies, or deface the website. The injected script executes in the context of the vulnerable site, potentially compromising the integrity and confidentiality of user data [1].

The vulnerability is patched in version 5.3.5 of the Grand Conference theme. Users are strongly advised to update immediately. If updating is not possible, applying a virtual patch or mitigation rule, such as those provided by Patchstack, can block attacks until the update is applied [1].