{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:58.586Z", "datePublished": "2026-03-05T05:53:58.133Z", "dateUpdated": "2026-04-28T16:15:02.818Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "metro", "product": "Metro", "vendor": "RadiusTheme", "versions": [{"lessThanOrEqual": "2.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:31.044Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.<p>This issue affects Metro: from n/a through <= 2.13.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.818Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/metro/vulnerability/wordpress-metro-theme-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Metro theme <= 2.13 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T15:53:56.394812Z", "id": "CVE-2026-27382", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:06:07.476Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:58.586Z", "datePublished": "2026-03-05T05:53:58.133Z", "dateUpdated": "2026-04-28T16:06:07.476Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "metro", "product": "Metro", "vendor": "RadiusTheme", "versions": [{"lessThanOrEqual": "2.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:27:16.115Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.<p>This issue affects Metro: from n/a through <= 2.13.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:52.162Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/metro/vulnerability/wordpress-metro-theme-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Metro theme <= 2.13 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27382", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T15:53:56.394812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:53:21.864Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en RadiusTheme Metro metro permite XSS basado en DOM. Este problema afecta a Metro: desde n/a hasta &lt;= 2.13."}], "id": "CVE-2026-27382", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:27.567", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/metro/vulnerability/wordpress-metro-theme-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Metro", "source": "cna", "vendor": "RadiusTheme"}, "product": "metro", "vendor": "radiustheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:33:20.249870+00:00", "value": {"mitigation_remediation": ["Upgrade Metro to version 2.14 or later to eliminate the DOM\u2011based XSS flaw.", "If an upgrade cannot be performed immediately, deploy a Web Application Firewall or content\u2011security\u2011policy that blocks execution of untrusted scripts.", "Ensure that any input parameters used by the theme are properly sanitized on both the client and server side, or remove the affected features entirely from the deployment."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting (XSS) that enables the injection of arbitrary JavaScript into the page viewed by a victim, potentially leading to credential theft, session hijacking, or defacement."}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress Metro theme from vendor RadiusTheme, specifically all releases numbered 2.13 and earlier, including earlier undocumented releases. Any instance of the theme without an upgrade to a later version is susceptible.", "description_and_impact": "RadiusTheme Metro theme (versions up to 2.13) contains a DOM\u2011based Cross\u2011Site Scripting flaw caused by an improper neutralization of user input before it is displayed in a web page. An attacker can inject malicious JavaScript that will execute in the context of the victim\u2019s browser, allowing the attacker to read or modify sensitive information, hijack user sessions, or deface the site.", "risk_and_exploitability": "The vulnerability is rated with a CVSS score of 7.1, indicating a medium\u2011to\u2011high impact if exploited. The EPSS score is reported as less than 1%, suggesting that the chance of real\u2011world exploitation is presently very low. The CVE is not listed in CISA\u2019s KEV catalog. Exploitation is likely to occur via crafted URLs or form inputs that the theme processes; the attacker would need only a user clicking a link or visiting a malicious page to trigger the payload. As the flaw is DOM\u2011based, it does not require any server\u2011side components to be compromised, which limits prerequisites but also means the vector is web\u2011based and only requires user interaction."}}}}, "created": "2026-03-06T15:12:12.305829+00:00", "updated": "2026-04-15T23:45:05.913244+00:00", "vendors": ["radiustheme", "radiustheme$PRODUCT$metro", "wordpress", "wordpress$PRODUCT$wordpress"]}