Impact
An unauthenticated attacker can inject malicious scripts into a victim’s browser when interacting with the MagOne theme on WordPress sites. The flaw resides in input handling that allows user‑supplied data to be reflected back to the page without proper escaping, leading to potential session hijacking, credential theft, or defacement. The underlying weakness is identified as CWE‑79.
Affected Systems
The vulnerability affects the Sneeit MagOne WordPress theme versions 9.0 and earlier. Users running any of these legacy theme releases are at risk until they upgrade to 9.1 or later.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1 % shows that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely unauthenticated, whereby a malicious user can craft a URL containing injected JavaScript that is reflected in the theme’s output. An attacker need not compromise the site’s admin before benefiting from the injected code.
OpenCVE Enrichment