Cyber Resilience

CVE-2026-22524

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 14.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22524 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-22524 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the Legacy Admin WordPress plugin developed by themepassion, with all versions from n/a through 9.5 vulnerable. The issue was published on 2026-03-25 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but relying on user interaction, such as a victim clicking a malicious link or visiting a crafted page. Exploitation enables arbitrary JavaScript execution in the victim's browser context within the Scope:Changed security scope, potentially compromising low levels of confidentiality, integrity, and availability, such as session hijacking or data theft from the site.

Patchstack advisories document this Reflected XSS in Legacy Admin version 9.5, providing details on the vulnerability. Practitioners should review the advisory at https://patchstack.com/database/Wordpress/Plugin/legacy-admin/vulnerability/wordpress-legacy-admin-plugin-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for recommended mitigations and any available patches.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through <= 9.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Reflected XSS directly enables public web app exploitation (T1190) with arbitrary JS execution (T1059.007) and supports browser session hijacking (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23722Shared CWE-79
CVE-2025-68874Shared CWE-79
CVE-2025-53231Shared CWE-79
CVE-2025-0521Shared CWE-79
CVE-2025-15440Shared CWE-79
CVE-2025-22766Shared CWE-79
CVE-2026-22867Shared CWE-79
CVE-2025-40587Shared CWE-79
CVE-2022-50905Shared CWE-79
CVE-2026-42685Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates information input validation at entry points, directly preventing the improper neutralization of input that enables reflected XSS in the Legacy Admin WordPress plugin.

prevent

SI-15 requires filtering of information output to block script injection, comprehensively addressing reflected XSS execution in victim browsers.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like the reflected XSS vulnerability in Legacy Admin versions through 9.5.

References