Skip to main content

MagOne Theme EUVDEUVD-2026-37476

| CVE-2026-39548 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable reflected XSS, no attacker auth, requires victim click (UI:R); script runs in site origin so scope changes with low C/I/A impact on the WordPress session.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:38 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in MagOne <= 9.0 versions.

AnalysisAI

Reflected cross-site scripting in the MagOne WordPress theme versions 9.0 and earlier allows remote unauthenticated attackers to inject arbitrary script into a victim's browser session when the victim is lured to a crafted link. CVSS rates this 7.1 with a scope change (S:C), reflecting the ability to affect resources beyond the vulnerable component such as the authenticated WordPress session. No public exploit identified at time of analysis, but Patchstack has published the advisory in their WordPress vulnerability database.

Technical ContextAI

MagOne is a commercial WordPress theme published by sneeit (CPE cpe:2.3:a:sneeit:magone) that targets news and magazine sites. The underlying weakness is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically reflected XSS - user-supplied input is echoed into an HTTP response without proper output encoding or input sanitization, so an attacker-controlled value in a URL parameter is rendered as live HTML/JavaScript in the victim's browser. Because the theme renders content in the context of a WordPress site, injected script executes with the site's origin and can interact with any same-origin resources, including the wp-admin interface if the victim is a logged-in administrator.

RemediationAI

No vendor-released patch identified at time of analysis; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/magone/vulnerability/wordpress-magone-theme-9-0-reflected-cross-site-scripting-xss-vulnerability for any subsequent fix notification, and upgrade to a MagOne release later than 9.0 as soon as the vendor (sneeit) publishes one. As compensating controls, deploy a WordPress-aware WAF rule (Patchstack, Wordfence, or equivalent) that filters reflected XSS payloads against MagOne theme endpoints, add a strict Content-Security-Policy header that disallows inline script and untrusted script sources - accepting that this may break legitimate inline JavaScript used by the theme and require selective allowlisting - and instruct WordPress administrators to log out before clicking unfamiliar links targeting the site, which reduces the highest-impact pivot but does not eliminate the underlying flaw.

Share

EUVD-2026-37476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy