{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28073", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:47.059Z", "datePublished": "2026-03-19T05:18:56.777Z", "dateUpdated": "2026-04-28T16:15:06.683Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WP eMember", "vendor": "Tips and Tricks HQ", "versions": [{"lessThanOrEqual": "v10.2.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.<p>This issue affects WP eMember: from n/a through v10.2.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:06.683Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-theme-v10-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress WP eMember theme <= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:56:48.267333Z", "id": "CVE-2026-28073", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:57:47.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28073", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:56:48.267333Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:57:40.944Z"}}], "cna": {"title": "WordPress WP eMember theme <= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Tips and Tricks HQ", "product": "WP eMember", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "v10.2.2"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-theme-v10-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.<p>This issue affects WP eMember: from n/a through v10.2.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T05:18:56.777Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28073", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:57:47.747Z", "dateReserved": "2026-02-25T12:13:47.059Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T05:18:56.777Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en Tips and Tricks HQ WP eMember permite XSS Reflejado. Este problema afecta a WP eMember: desde n/d hasta v10.2.2."}], "id": "CVE-2026-28073", "lastModified": "2026-04-28T19:37:26.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T06:16:26.550", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/wp-emember/vulnerability/wordpress-wp-emember-theme-v10-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.2.2]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "WP eMember", "source": "cna", "vendor": "Tips and Tricks HQ"}, "product": "wp_emember", "vendor": "tipsandtricks-hq"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:21:06.209574+00:00", "value": {"mitigation_remediation": ["Upgrade the WP eMember theme to version 10.2.3 or later once the vendor releases a patch.", "If an upgrade is not immediately possible, validate and sanitize all user input on the front\u2011end before rendering it in a page, and disable or escape any places where user data can be reflected directly.", "Apply a web application firewall rule that blocks requests containing common XSS payloads such as <script> tags or event handler attributes.", "Monitor site logs for repeated attempts at injecting unexpected query parameters or form data, and block repeat offenders if necessary."], "summary": {"action": "Patch Now", "impact": "Cross-site Scripting"}, "threat_synthesis": {"affected_systems": "The WP eMember theme from Tips and Tricks HQ is affected in all releases up to and including version 10.2.2. Any WordPress installation using a version labeled 10.2.2 or earlier is vulnerable. Versions newer than 10.2.2 are not impacted according to the available information.", "description_and_impact": "This flaw is an Improper Neutralization of Input During Web Page Generation (XSS) vulnerability affecting the Tips and Tricks HQ WP eMember theme. The lack of input sanitization allows reflected cross\u2011site scripting in responses rendered by the theme, permitting attackers to inject malicious JavaScript. By supplying crafted input \u2013 for example via URL parameters or form fields \u2013 the script is executed in the victim\u2019s browser with the permissions of the site\u2019s user, which can lead to session hijacking, phishing, or defacement.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity of this reflected XSS. Exploitation requires that an attacker can influence input that is reflected in a response, likely via crafted URLs or inputs on the front-end. The EPSS score is < 1%, indicating a very low but non-zero probability of exploitation, and the vulnerability is not listed in the KEV catalog, suggesting it is not a widely known exploit yet. However the high severity and the ease of exploiting reflected XSS make this a significant risk for any exposed users. The attack vector is assumed to be remote through a web request that carries the malicious input, as is typical for reflected XSS scenarios."}}}}, "created": "2026-03-19T08:54:41.439552+00:00", "updated": "2026-04-28T22:30:41.601693+00:00", "vendors": ["tipsandtricks-hq", "tipsandtricks-hq$PRODUCT$wp_emember", "wordpress", "wordpress$PRODUCT$wordpress"]}