{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22524", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:43.226Z", "datePublished": "2026-03-25T16:14:29.032Z", "dateUpdated": "2026-03-25T20:23:34.057Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "legacy-admin", "product": "Legacy Admin", "vendor": "themepassion", "versions": [{"lessThanOrEqual": "<= 9.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.591Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.<p>This issue affects Legacy Admin: from n/a through <= 9.5.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:29.032Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/legacy-admin/vulnerability/wordpress-legacy-admin-plugin-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22524", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:18:08.286823Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:23:34.057Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22524", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:18:08.286823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:18:09.272Z"}}], "cna": {"title": "WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "themepassion", "product": "Legacy Admin", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 9.5"}], "packageName": "legacy-admin", "collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:12.591Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/legacy-admin/vulnerability/wordpress-legacy-admin-plugin-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.<p>This issue affects Legacy Admin: from n/a through <= 9.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:29.032Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22524", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:23:34.057Z", "dateReserved": "2026-01-07T13:44:43.226Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:29.032Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5."}], "id": "CVE-2026-22524", "lastModified": "2026-03-25T21:16:30.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:34.497", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/legacy-admin/vulnerability/wordpress-legacy-admin-plugin-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Legacy Admin", "source": "cna", "vendor": "themepassion"}, "product": "legacy_admin", "vendor": "themepassion"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T00:08:43.610963+00:00", "value": {"mitigation_remediation": ["Disable or uninstall the Legacy Admin plugin until an official patch is released.", "If the plugin must remain active, ensure it is used only by trusted administrators and disable any publicly accessible input fields.", "Verify that all user input is escaped or sanitized before rendering; consider implementing output encoding to prevent script injection.", "Check the ThemePassion website or contact support for a vendor\u2011supplied fix.", "Keep site logs monitored for anomalous request patterns that might indicate exploitation attempts.", "Apply WordPress core, theme, and other plugin updates promptly to reduce overall attack surface."], "summary": {"action": "Immediate Patch", "impact": "Reflected XSS via unchecked plugin input"}, "threat_synthesis": {"affected_systems": "All WordPress sites running ThemePassion Legacy Admin plugin version 9.5 or earlier. The vulnerability is present from the initial release up to and including 9.5.", "description_and_impact": "The Legacy Admin plugin embeds user-supplied data directly into web pages without proper sanitization, creating a reflected cross\u2011site scripting flaw. When a victim visits a tampered URL or submits a malicious value, the browser may execute attacker\u2011supplied script. This can compromise the victim\u2019s browser session, enabling cookie theft, session hijacking, or delivery of unwanted content.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.1, indicating high impact, and is not listed in CISA\u2019s KEV catalog. No EPSS score is available. The analysis of the reported behavior does not explicitly describe the attack vector; however, it is reasonable to infer that the vulnerability can be leveraged by crafting a malicious URL or form input that is reflected back to the user\u2019s browser, as is typical for reflected XSS attacks. While the vulnerability does not grant server\u2011side code execution, it exposes affected users to client\u2011side compromise, potentially leading to credential theft or malicious redirect."}}}}, "created": "2026-03-25T21:35:01.453845+00:00", "updated": "2026-03-26T12:13:14.339124+00:00", "vendors": ["themepassion", "themepassion$PRODUCT$legacy_admin", "wordpress", "wordpress$PRODUCT$wordpress"]}