{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24948", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.517Z", "datePublished": "2026-02-20T15:47:08.086Z", "dateUpdated": "2026-04-28T16:14:51.242Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "reflector-plugins", "product": "Reflector", "vendor": "fox-themes", "versions": [{"changes": [{"at": "1.2.3", "status": "unaffected"}], "lessThanOrEqual": "1.2.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:56.695Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.<p>This issue affects Reflector: from n/a through <= 1.2.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.242Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/reflector-plugins/vulnerability/wordpress-reflector-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Reflector plugin <= 1.2.2 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T18:37:13.316325Z", "id": "CVE-2026-24948", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:49:35.838Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24948", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.517Z", "datePublished": "2026-02-20T15:47:08.086Z", "dateUpdated": "2026-04-28T14:49:35.838Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "reflector-plugins", "product": "Reflector", "vendor": "fox-themes", "versions": [{"changes": [{"at": "1.2.3", "status": "unaffected"}], "lessThanOrEqual": "1.2.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:29.342Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.<p>This issue affects Reflector: from n/a through <= 1.2.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:46.613Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/reflector-plugins/vulnerability/wordpress-reflector-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Reflector plugin <= 1.2.2 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24948", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T18:37:13.316325Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T18:37:07.624Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en fox-themes Reflector reflector-plugins permite XSS Reflejado. Este problema afecta a Reflector: desde n/a hasta &lt;= 1.2.2."}], "id": "CVE-2026-24948", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:39.157", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/reflector-plugins/vulnerability/wordpress-reflector-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.2.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Reflector", "source": "cna", "vendor": "fox-themes"}, "product": "reflector", "vendor": "fox-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:59:13.297917+00:00", "value": {"mitigation_remediation": ["Apply the official patch released by fox\u2011themes that updates the Reflector plugin to version 1.2.3 or newer.", "Disallow any untrusted input in template files by ensuring that the plugin\u2019s request handlers validate and escape all user\u2010supplied parameters before rendering.", "Disable or restrict the affected plugin entirely on sites where the update cannot be applied immediately, using WordPress\u2019 plugin disable functionality or a site\u2011wide configuration change."], "summary": {"action": "Patch Immediately", "impact": "Reflected Cross\u2011Site Scripting (XSS) that can compromise user sessions and deface content."}, "threat_synthesis": {"affected_systems": "All installations of the WordPress Reflector plugin with a version number of 1.2.2 or earlier are affected. The plugin is distributed by fox\u2011themes under the name \"Reflector.\" No other WordPress plugins or core components are listed as impacted.", "description_and_impact": "The Reflector plugin for WordPress contains an improper neutralization of input vulnerability that allows attacker\u2011supplied data to be reflected unfiltered in the rendered page. This flaw is a classic Cross\u2011Site Scripting (CWE\u201179) weakness that can enable malicious scripts to run in the context of any user who visits a crafted URL or interacts with a vulnerable form. Load\u2011time exploitation can lead to cookie theft, session hijacking, defacement, or the delivery of additional malware to unsuspecting visitors.", "risk_and_exploitability": "The vulnerability scores a CVSS base of 7.1, indicating moderate to high severity. The EPSS value is reported as less than 1\u202f%, indicating a very low historic exploitation likelihood; however, the flaw remains publicly documented. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that a user visits a specially crafted URL or submits a tampered form field, both of which can be trivially constructed by an attacker. Because the payload executes in the victim\u2019s browser, the risk is confined to the rendering context of that user and does not affect server\u2011side state."}}}}, "created": "2026-02-23T14:35:54.118866+00:00", "updated": "2026-04-16T00:00:14.164439+00:00", "vendors": ["fox-themes", "fox-themes$PRODUCT$reflector", "wordpress", "wordpress$PRODUCT$wordpress"]}