Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Visionary Core noo-visionary-core allows Reflected XSS.This issue affects Visionary Core: from n/a through <= 1.4.9.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Immediate Patch
AI Analysis

Impact

A reflected cross‑site scripting vulnerability in the NooTheme Visionary Core plugin allows an attacker to inject and execute malicious scripts in the browser of any user who views a crafted page. The flaw occurs when the plugin fails to properly neutralize user‑supplied input during page generation. The likely attack vector is a user clicking a malicious link or submitting a form that contains the crafted input; this inference is drawn from the description that the XSS is reflected and does not require authentication.

Affected Systems

WordPress sites that include NooTheme Visionary Core plugin version 1.4.9 or earlier are affected. The vulnerability exists in all installations of the plugin up to and including that version, regardless of the WordPress core version.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is considered high severity; it can be triggered by any internet user and therefore carries a broad attack surface. EPSS data is not available and the issue is not listed in the CISA KEV catalog. Because the exploitation requires only a crafted URL or form input, attackers could distribute the exploit via phishing campaigns or malicious advertisement links. The absence of authentication or privilege escalation constraints makes the vulnerability particularly attractive for attackers seeking to compromise user sessions or deface content.

Generated by OpenCVE AI on March 25, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Visionary Core plugin to version 1.5.0 or later, which removes the vulnerable code.
  • If an immediate upgrade is not possible, disable or delete the plugin from the WordPress installation.
  • Verify that no legacy files remain after the upgrade and run a site scan to detect any malicious scripts that may have been injected.

Generated by OpenCVE AI on March 25, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme visionary Core
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme visionary Core
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Visionary Core noo-visionary-core allows Reflected XSS.This issue affects Visionary Core: from n/a through <= 1.4.9.
Title WordPress Visionary Core plugin <= 1.4.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Nootheme Visionary Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:41.112Z

Reserved: 2026-01-28T09:50:46.305Z

Link: CVE-2026-24980

cve-icon Vulnrichment

Updated: 2026-03-25T20:17:46.445Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:40.470

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-24980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:05Z

Weaknesses