Platform
wordpress
Component
legacy-admin
Fixed in
9.5.1
CVE-2026-22524 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in ThemePassion Legacy Admin. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions from 0.0.0 up to and including 9.5, and a fix is available via an updated version of the plugin.
The primary impact of this XSS vulnerability lies in the attacker's ability to execute arbitrary JavaScript code within the context of a user's browser session. This can be exploited to steal sensitive information such as session cookies, authentication tokens, or personally identifiable information (PII). An attacker could also redirect users to malicious websites, deface the admin interface, or perform actions on behalf of the affected user, potentially gaining unauthorized access to administrative functions. The blast radius extends to all users who interact with the vulnerable admin interface, particularly those with elevated privileges.
CVE-2026-22524 was publicly disclosed on 2026-03-25. No public proof-of-concept (POC) code has been identified at the time of writing, but the Reflected XSS nature of the vulnerability makes it relatively straightforward to exploit. The EPSS score is likely to be medium, given the ease of exploitation and potential impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22524 is to upgrade to a patched version of ThemePassion Legacy Admin. If upgrading immediately is not feasible, consider implementing temporary workarounds such as input validation and output encoding on user-supplied data within the admin interface. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a layer of defense. Regularly review access logs for suspicious activity and consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22524 is a Reflected XSS vulnerability affecting ThemePassion Legacy Admin versions 0.0.0 through 9.5, allowing attackers to inject malicious scripts via crafted URLs.
If you are using ThemePassion Legacy Admin version 0.0.0 through 9.5, you are potentially affected. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of ThemePassion Legacy Admin. Check the vendor's website for the latest version.
While no active exploitation has been confirmed, the ease of exploitation suggests potential for future attacks. Monitor security advisories and logs.
Refer to the ThemePassion website and WordPress plugin repository for official advisories and updates related to CVE-2026-22524.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.