Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Ultra WordPress Admin ultra-admin allows Reflected XSS.This issue affects Ultra WordPress Admin: from n/a through <= 11.7.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Client-side code execution (XSS)
Action: Immediate Patch
AI Analysis

Impact

A reflected cross‑site scripting (XSS) flaw in the Ultra WordPress Admin plug‑in lets an attacker inject arbitrary JavaScript into pages viewed by site administrators and other users. Because the input is not properly sanitized, malicious code can run in the victim’s browser, enabling session hijacking, cookie theft, defacement, or phishing attacks. The weakness is categorized as improper neutralization of input during web page generation (CWE‑79).

Affected Systems

The vulnerability affects themepassion’s Ultra WordPress Admin plug‑in, versions from the earliest to 11.7 inclusive. Any installation running a version numbered 11.7 or lower is impacted.

Risk and Exploitability

This issue carries a CVSS score of 7.1, indicating a moderate to high severity level. The EPSS score is not reported, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting that widespread exploitation has not yet been observed. The attack vector is inferred to be remote: an adversary can craft a URL or embed malicious parameters in a form so that when a target user visits the page, the injected script executes in their browser. The flaw does not require privileged access; any authenticated or even unauthenticated user with a valid session can be targeted.

Generated by OpenCVE AI on March 25, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ultra WordPress Admin to a version newer than 11.7.
  • If an upgrade is not immediately possible, disable or uninstall the plugin until a patch is available.
  • Verify that no reflected XSS entry points remain by testing common search or URL parameters after any change.
  • Monitor site traffic for suspicious activity and consider applying a web application firewall rule to block common XSS payloads.

Generated by OpenCVE AI on March 25, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themepassion
Themepassion ultra Wordpress Admin
Wordpress
Wordpress wordpress
Vendors & Products Themepassion
Themepassion ultra Wordpress Admin
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Ultra WordPress Admin ultra-admin allows Reflected XSS.This issue affects Ultra WordPress Admin: from n/a through <= 11.7.
Title WordPress Ultra WordPress Admin plugin <= 11.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themepassion Ultra Wordpress Admin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:45:53.335Z

Reserved: 2026-01-07T13:44:43.226Z

Link: CVE-2026-22523

cve-icon Vulnrichment

Updated: 2026-03-25T20:18:12.556Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:34.363

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:15Z

Weaknesses