CVE-2024-3867

MEDIUM

archive-tainacan-collection <2.7.2 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-3867. PoCs published by c4cnm.

AI-analyzed exploit summary The repository provides a technical analysis of CVE-2024-3867, a reflected XSS vulnerability in the archive-tainacan-collection WordPress theme. It includes details on the vulnerable endpoint, payload construction, and bypass techniques for string replacement.

Description

The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in version 2.7.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Exploits (1)

nomisec WRITEUP
by c4cnm · poc
https://github.com/c4cnm/CVE-2024-3867

The repository provides a technical analysis of CVE-2024-3867, a reflected XSS vulnerability in the archive-tainacan-collection WordPress theme. It includes details on the vulnerable endpoint, payload construction, and bypass techniques for string replacement.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: archive-tainacan-collection WordPress theme version 2.7.2
No auth needed
Prerequisites: A user clicking on a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0082
EPSS Percentile 52.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
tainacan/Tainacan Interface < 2.7.2
Published Apr 16, 2024
Tracked Since Feb 18, 2026