Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico musico allows Reflected XSS.This issue affects Musico: from n/a through < 3.4.5.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply patch
AI Analysis

Impact

The vulnerability involves improper neutralization of input, resulting in cross‑site scripting that allows an attacker to inject malicious scripts into a page viewed by users. These scripts can be executed in the victim’s browser, potentially leading to session hijacking, credential theft, or defacement of the site. The weakness is a client‑side injection flaw.

Affected Systems

The defect affects WordPress installations that use the ThemeGoods Musico theme with version numbers preceding 3.4.5. Versions 3.4.5 and later contain the fix.

Risk and Exploitability

This flaw carries a CVSS score of 7.1, indicating a high severity with potential for serious impact on confidentiality and integrity. The EPSS score of less than 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is reflected XSS, requiring an attacker to craft a malicious link or payload that a victim opens. If successfully exploited, the attacker could run arbitrary scripts in the victim’s browser, enabling session hijack or data theft, although the vulnerability is not a remote code execution.

Generated by OpenCVE AI on April 28, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WordPress Musico theme to version 3.4.5 or later.
  • Sanitize and validate any user input fields used by the Musico theme to ensure proper escaping of output.
  • Implement a content security policy to restrict script execution on the site.

Generated by OpenCVE AI on April 28, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico allows Reflected XSS.This issue affects Musico: from n/a before 3.4.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico musico allows Reflected XSS.This issue affects Musico: from n/a through < 3.4.5.
References

Tue, 07 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico musico allows Reflected XSS.This issue affects Musico: from n/a through <= 3.2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico allows Reflected XSS.This issue affects Musico: from n/a before 3.4.5.
Title WordPress Musico theme <= 3.2.4 - Reflected Cross Site Scripting (XSS) vulnerability WordPress Musico theme < 3.4.5 - Cross Site Scripting (XSS) vulnerability
References

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods musico
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods musico
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico musico allows Reflected XSS.This issue affects Musico: from n/a through <= 3.2.4.
Title WordPress Musico theme <= 3.2.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themegoods Musico
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:02.389Z

Reserved: 2026-02-19T09:51:54.220Z

Link: CVE-2026-27367

cve-icon Vulnrichment

Updated: 2026-03-06T18:57:38.856Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:26.357

Modified: 2026-04-23T15:37:21.350

Link: CVE-2026-27367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T17:45:16Z

Weaknesses