Skip to main content

Legacy Admin EUVDEUVD-2026-15538

| CVE-2026-22524 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-w895-qcj5-7ffx
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15538
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the themepassion Legacy Admin WordPress plugin affecting versions up to and including 9.5, which allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling arbitrary JavaScript execution in victims' browsers. An attacker can craft a malicious URL containing unfiltered input and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes insufficient sanitization or encoding of user-supplied input before it is rendered in HTML context. The themepassion Legacy Admin plugin (identified via CPE cpe:2.3:a:themepassion:legacy_admin:*:*:*:*:*:*:*:*) fails to properly escape or validate request parameters before echoing them back in HTTP responses. Reflected XSS differs from stored XSS in that the malicious payload is not persisted in a database; instead, it travels through the URL or form parameters and is immediately reflected to the victim's browser. WordPress plugins are particularly prone to this class of vulnerability when they handle user input without leveraging WordPress's built-in sanitization functions such as sanitize_text_field(), esc_html(), or esc_attr().

RemediationAI

Immediately upgrade the themepassion Legacy Admin plugin to a patched version beyond 9.5 if available; verify the latest version at the WordPress plugin repository or vendor site. If a patch is unavailable or the vendor is no longer maintaining the plugin, consider disabling or removing the Legacy Admin plugin entirely and replacing it with a maintained WordPress administration alternative. As an interim mitigation, restrict access to the WordPress admin interface by implementing IP whitelisting, Web Application Firewall (WAF) rules to sanitize reflected parameters, and Content Security Policy (CSP) headers to prevent inline script execution. Ensure all WordPress core files, themes, and other plugins are kept current, as defense-in-depth measures reduce the overall attack surface. Refer to the Patchstack database entry for any vendor-issued security advisories or patches: https://patchstack.com/database/Wordpress/Plugin/legacy-admin/vulnerability/wordpress-legacy-admin-plugin-9-5-reflected-cross-site-scripting-xss-vulnerability.

Share

EUVD-2026-15538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy