Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the themepassion Legacy Admin WordPress plugin affecting versions up to and including 9.5, which allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling arbitrary JavaScript execution in victims' browsers. An attacker can craft a malicious URL containing unfiltered input and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes insufficient sanitization or encoding of user-supplied input before it is rendered in HTML context. The themepassion Legacy Admin plugin (identified via CPE cpe:2.3:a:themepassion:legacy_admin:*:*:*:*:*:*:*:*) fails to properly escape or validate request parameters before echoing them back in HTTP responses. Reflected XSS differs from stored XSS in that the malicious payload is not persisted in a database; instead, it travels through the URL or form parameters and is immediately reflected to the victim's browser. WordPress plugins are particularly prone to this class of vulnerability when they handle user input without leveraging WordPress's built-in sanitization functions such as sanitize_text_field(), esc_html(), or esc_attr().
RemediationAI
Immediately upgrade the themepassion Legacy Admin plugin to a patched version beyond 9.5 if available; verify the latest version at the WordPress plugin repository or vendor site. If a patch is unavailable or the vendor is no longer maintaining the plugin, consider disabling or removing the Legacy Admin plugin entirely and replacing it with a maintained WordPress administration alternative. As an interim mitigation, restrict access to the WordPress admin interface by implementing IP whitelisting, Web Application Firewall (WAF) rules to sanitize reflected parameters, and Content Security Policy (CSP) headers to prevent inline script execution. Ensure all WordPress core files, themes, and other plugins are kept current, as defense-in-depth measures reduce the overall attack surface. Refer to the Patchstack database entry for any vendor-issued security advisories or patches: https://patchstack.com/database/Wordpress/Plugin/legacy-admin/vulnerability/wordpress-legacy-admin-plugin-9-5-reflected-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15538
GHSA-w895-qcj5-7ffx