Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) that enables the injection of arbitrary JavaScript into the page viewed by a victim, potentially leading to credential theft, session hijacking, or defacement.
Action: Apply Patch
AI Analysis

Impact

RadiusTheme Metro theme (versions up to 2.13) contains a DOM‑based Cross‑Site Scripting flaw caused by an improper neutralization of user input before it is displayed in a web page. An attacker can inject malicious JavaScript that will execute in the context of the victim’s browser, allowing the attacker to read or modify sensitive information, hijack user sessions, or deface the site.

Affected Systems

The vulnerability affects the WordPress Metro theme from vendor RadiusTheme, specifically all releases numbered 2.13 and earlier, including earlier undocumented releases. Any instance of the theme without an upgrade to a later version is susceptible.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 7.1, indicating a medium‑to‑high impact if exploited. The EPSS score is reported as less than 1%, suggesting that the chance of real‑world exploitation is presently very low. The CVE is not listed in CISA’s KEV catalog. Exploitation is likely to occur via crafted URLs or form inputs that the theme processes; the attacker would need only a user clicking a link or visiting a malicious page to trigger the payload. As the flaw is DOM‑based, it does not require any server‑side components to be compromised, which limits prerequisites but also means the vector is web‑based and only requires user interaction.

Generated by OpenCVE AI on April 15, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Metro to version 2.14 or later to eliminate the DOM‑based XSS flaw.
  • If an upgrade cannot be performed immediately, deploy a Web Application Firewall or content‑security‑policy that blocks execution of untrusted scripts.
  • Ensure that any input parameters used by the theme are properly sanitized on both the client and server side, or remove the affected features entirely from the deployment.

Generated by OpenCVE AI on April 15, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Radiustheme
Radiustheme metro
Wordpress
Wordpress wordpress
Vendors & Products Radiustheme
Radiustheme metro
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13.
Title WordPress Metro theme <= 2.13 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Radiustheme Metro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:02.818Z

Reserved: 2026-02-19T09:51:58.586Z

Link: CVE-2026-27382

cve-icon Vulnrichment

Updated: 2026-03-09T15:53:21.864Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:27.567

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-27382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:45:05Z

Weaknesses