Plattform
wordpress
Komponente
legacy-admin
Behoben in
9.5.1
CVE-2026-22524 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in ThemePassion Legacy Admin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 9.5, and a patch is expected to be released by the vendor. Prompt action is recommended to secure installations.
The primary impact of this Reflected XSS vulnerability is the potential for attackers to execute arbitrary JavaScript code within the context of a user's browser session. This can be exploited to steal sensitive information, such as session cookies, authentication tokens, or personally identifiable information (PII). An attacker could also redirect users to malicious websites, deface the website, or perform actions on behalf of the user without their knowledge. Successful exploitation could lead to complete account takeover and compromise of the entire administrative interface, potentially granting access to sensitive data and configuration settings.
CVE-2026-22524 was publicly disclosed on 2026-03-25. As of this writing, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. The relatively recent disclosure suggests that active exploitation is possible, but not yet widespread.
Administrators and users of websites utilizing ThemePassion Legacy Admin are at risk. Specifically, those using older, unpatched versions (0.0.0 through 9.5) are highly vulnerable. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'Legacy Admin' /var/www/html/wp-content/plugins/
wp plugin list | grep Legacy Admin• generic web:
curl -I 'https://your-website.com/admin/index.php?param=<script>alert(1)</script>' | grep Content-Typedisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2026-22524 is to upgrade to a patched version of ThemePassion Legacy Admin as soon as it becomes available. Until a patch is released, consider implementing input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a layer of protection. Regularly review and update security policies and conduct vulnerability scans to identify and address potential weaknesses.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22524 is a Reflected XSS vulnerability affecting ThemePassion Legacy Admin versions 0.0.0 through 9.5, allowing attackers to inject malicious scripts via crafted URLs.
If you are using ThemePassion Legacy Admin version 0.0.0 through 9.5, you are potentially affected. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of ThemePassion Legacy Admin. Check the vendor's website for the latest version.
While no active exploitation has been confirmed, the ease of exploitation suggests potential for future attacks. Monitor security advisories and logs.
Refer to the ThemePassion website and WordPress plugin repository for official advisories and updates related to CVE-2026-22524.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.