CVE-2026-22524
Published: 25 March 2026
Summary
CVE-2026-22524 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates information input validation at entry points, directly preventing the improper neutralization of input that enables reflected XSS in the Legacy Admin WordPress plugin.
SI-15 requires filtering of information output to block script injection, comprehensively addressing reflected XSS execution in victim browsers.
SI-2 ensures timely identification, reporting, and correction of flaws like the reflected XSS vulnerability in Legacy Admin versions through 9.5.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS directly enables public web app exploitation (T1190) with arbitrary JS execution (T1059.007) and supports browser session hijacking (T1185).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5.
Deeper analysisAI
CVE-2026-22524 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the Legacy Admin WordPress plugin developed by themepassion, with all versions from n/a through 9.5 vulnerable. The issue was published on 2026-03-25 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but relying on user interaction, such as a victim clicking a malicious link or visiting a crafted page. Exploitation enables arbitrary JavaScript execution in the victim's browser context within the Scope:Changed security scope, potentially compromising low levels of confidentiality, integrity, and availability, such as session hijacking or data theft from the site.
Patchstack advisories document this Reflected XSS in Legacy Admin version 9.5, providing details on the vulnerability. Practitioners should review the advisory at https://patchstack.com/database/Wordpress/Plugin/legacy-admin/vulnerability/wordpress-legacy-admin-plugin-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for recommended mitigations and any available patches.
Details
- CWE(s)