How is CVE-2026-22328 exploited?

Network reachability (required): The attacker delivers the malicious payload over the network by crafting a URL that targets the vulnerable theme endpoint, so the service must be reachable from the internet or the attacker's network position. Authentication (not-required): No account or credentials of any kind are needed; the reflected payload can be crafted and delivered by any anonymous party. Victim interaction (required): A victim must click or otherwise navigate to the attacker-crafted URL for the malicious script to execute in their browser, making social engineering a necessary step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental configuration to trigger.

What is the impact of CVE-2026-22328?

Reads browser-accessible session cookies and authentication tokens belonging to the victim, which can be replayed to impersonate the victim. Injects arbitrary content into the page rendered in the victim's browser, enabling phishing overlays or credential-harvesting forms. Modifies the visual state of the rendered page, partially disrupting the legitimate user experience. Executes requests on behalf of the victim against the WordPress application, potentially performing actions the victim is authorized to perform.

Back to search

HIGHCVE-2026-22328Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-22328: WordPress Auto Repair theme <= 22.6 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-22328?

Reflected cross-site scripting (XSS) in the VamTam Auto Repair WordPress theme version 22.6 and earlier allows an unauthenticated remote attacker to inject malicious scripts into a victim's browser by tricking them into visiting a crafted URL. No login or account is required to craft the attack payload; the victim only needs to click a malicious link. Successful exploitation gives the attacker the ability to read session cookies, inject content, and partially disrupt the page rendered in the victim's browser. HarborGuard is tracking this advisory for patch availability as no fix version has been published yet.

Q: Is CVE-2026-22328 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream VamTam release channels on every ingest cycle. The moment a patched version of the Auto Repair theme is released, a rebuilt image at that fix version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a pull request opened against affected workloads.

Unauthenticated Cross Site Scripting (XSS) in Auto Repair <= 22.6 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected cross-site scripting (XSS) in the VamTam Auto Repair WordPress theme version 22.6 and earlier allows an unauthenticated remote attacker to inject malicious scripts into a victim's browser by tricking them into visiting a crafted URL. No login or account is required to craft the attack payload; the victim only needs to click a malicious link. Successful exploitation gives the attacker the ability to read session cookies, inject content, and partially disrupt the page rendered in the victim's browser. HarborGuard is tracking this advisory for patch availability as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - CVE-2026-22328 is ingested from upstream feeds including the Patchstack advisory within minutes of publication and matched against customer images and build pipelines, including custom-built WordPress images that package the Auto Repair theme. Coverage extends to images in private registries as well as images evaluated at CI pipeline time.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector and can weight that score against each customer organization's compliance policy to adjust priority and route findings to the appropriate team inbox. Environments with stricter policies for internet-facing web applications will surface this finding at elevated priority automatically.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory and upstream VamTam release channels on every ingest cycle. The moment a patched version of the Auto Repair theme is released, a rebuilt image at that fix version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a pull request opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious payload over the network by crafting a URL that targets the vulnerable theme endpoint, so the service must be reachable from the internet or the attacker's network position.
AuthenticationNot required
No account or credentials of any kind are needed; the reflected payload can be crafted and delivered by any anonymous party.
Victim interactionRequired
A victim must click or otherwise navigate to the attacker-crafted URL for the malicious script to execute in their browser, making social engineering a necessary step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental configuration to trigger.

Blast Radius

Reads browser-accessible session cookies and authentication tokens belonging to the victim, which can be replayed to impersonate the victim.
Injects arbitrary content into the page rendered in the victim's browser, enabling phishing overlays or credential-harvesting forms.
Modifies the visual state of the rendered page, partially disrupting the legitimate user experience.
Executes requests on behalf of the victim against the WordPress application, potentially performing actions the victim is authorized to perform.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored through every ingest cycle against the Patchstack advisory and VamTam release channels because no fix version currently exists. For container images that bundle the Auto Repair theme, compensating controls are available in the interim - network policy rules can restrict unexpected egress from the web container, and web application firewall rules that sanitize or reject requests with reflected script patterns can be applied at the ingress layer. Where compliance policy permits, customers can flag affected images for manual review and hold promotion of those images to production environments. The moment VamTam publishes a patched release, a rebuilt image at that version becomes available on HarborGuard, and customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a pull request opened against affected workloads without manual intervention.

See how HarborGuard automates this

Affected packages

VamTam / Auto Repair
≤ 22.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified