WordPress · Archive-Tainacan-Collection · CVE-2024-3867
**Name of the Vulnerable Software and Affected Versions**
archive-tainacan-collection theme for WordPress versions 2.7.1 through 2.7.2
**Description**
The issue is related to Reflected Cross-Site Scripting, which occurs due to the use of `add query arg` without proper escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts in pages, which execute when a user performs a specific action, such as clicking on a link.
**Recommendations**
For version 2.7.1, update to a version later than 2.7.2 to resolve the issue.
For version 2.7.2, update to a version later than 2.7.2 to resolve the issue.
As a temporary workaround, consider restricting access to the `add query arg` function until a patch is available.