Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS via unchecked plugin input
Action: Immediate Patch
AI Analysis

Impact

The Legacy Admin plugin embeds user-supplied data directly into web pages without proper sanitization, creating a reflected cross‑site scripting flaw. When a victim visits a tampered URL or submits a malicious value, the browser may execute attacker‑supplied script. This can compromise the victim’s browser session, enabling cookie theft, session hijacking, or delivery of unwanted content.

Affected Systems

All WordPress sites running ThemePassion Legacy Admin plugin version 9.5 or earlier. The vulnerability is present from the initial release up to and including 9.5.

Risk and Exploitability

The flaw carries a CVSS score of 7.1, indicating high impact, and is not listed in CISA’s KEV catalog. No EPSS score is available. The analysis of the reported behavior does not explicitly describe the attack vector; however, it is reasonable to infer that the vulnerability can be leveraged by crafting a malicious URL or form input that is reflected back to the user’s browser, as is typical for reflected XSS attacks. While the vulnerability does not grant server‑side code execution, it exposes affected users to client‑side compromise, potentially leading to credential theft or malicious redirect.

Generated by OpenCVE AI on March 26, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the Legacy Admin plugin until an official patch is released.
  • If the plugin must remain active, ensure it is used only by trusted administrators and disable any publicly accessible input fields.
  • Verify that all user input is escaped or sanitized before rendering; consider implementing output encoding to prevent script injection.
  • Check the ThemePassion website or contact support for a vendor‑supplied fix.
  • Keep site logs monitored for anomalous request patterns that might indicate exploitation attempts.
  • Apply WordPress core, theme, and other plugin updates promptly to reduce overall attack surface.

Generated by OpenCVE AI on March 26, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themepassion
Themepassion legacy Admin
Wordpress
Wordpress wordpress
Vendors & Products Themepassion
Themepassion legacy Admin
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5.
Title WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themepassion Legacy Admin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:03.892Z

Reserved: 2026-01-07T13:44:43.226Z

Link: CVE-2026-22524

cve-icon Vulnrichment

Updated: 2026-03-25T20:18:09.272Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:34.497

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:14Z

Weaknesses