{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28137", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:18.579Z", "datePublished": "2026-03-05T05:54:31.838Z", "dateUpdated": "2026-04-28T16:15:09.340Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "medicenter", "product": "MediCenter - Health Medical Clinic", "vendor": "QuanticaLabs", "versions": [{"lessThanOrEqual": "14.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:55.387Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Reflected XSS.<p>This issue affects MediCenter - Health Medical Clinic: from n/a through <= 14.9.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Reflected XSS.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 14.9."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:09.340Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/medicenter/vulnerability/wordpress-medicenter-health-medical-clinic-wordpress-theme-theme-14-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress MediCenter - Health Medical Clinic WordPress Theme theme <= 14.9 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T14:39:49.469856Z", "id": "CVE-2026-28137", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:37:45.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28137", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T14:39:49.469856Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:38:14.083Z"}}], "cna": {"title": "WordPress MediCenter - Health Medical Clinic WordPress Theme theme <= 14.9 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QuanticaLabs", "product": "MediCenter - Health Medical Clinic", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "14.9"}], "packageName": "medicenter", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:51:55.387Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/medicenter/vulnerability/wordpress-medicenter-health-medical-clinic-wordpress-theme-theme-14-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Reflected XSS.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 14.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Reflected XSS.<p>This issue affects MediCenter - Health Medical Clinic: from n/a through <= 14.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:56.687Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28137", "state": "PUBLISHED", "dateUpdated": "2026-04-28T13:37:45.550Z", "dateReserved": "2026-02-25T12:14:18.579Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:31.838Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Reflected XSS.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 14.9."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en QuanticaLabs MediCenter - Health Medical Clinic medicenter permite XSS Reflejado. Este problema afecta a MediCenter - Health Medical Clinic: desde n/a hasta &lt;= 14.9."}], "id": "CVE-2026-28137", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:48.460", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/medicenter/vulnerability/wordpress-medicenter-health-medical-clinic-wordpress-theme-theme-14-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,14.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MediCenter - Health Medical Clinic", "source": "cna", "vendor": "QuanticaLabs"}, "product": "medicenter_-_health_medical_clinic", "vendor": "quanticalabs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T22:44:56.190686+00:00", "value": {"mitigation_remediation": ["Update the MediCenter \u2013 Health Medical Clinic theme to the latest patched version (e.g., 15.0 or newer).", "Implement a Content Security Policy that blocks inline scripts and restricts script sources to trusted origins.", "Sanitize all user\u2011supplied content passed through the theme using proper escaping functions such as wp_kses or esc_html."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting (Reflected) allowing arbitrary script execution in users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "Affected systems include the QuanticaLabs MediCenter \u2013 Health Medical Clinic WordPress theme, for all releases from its initial version through to and including version 14.9. A site that has not upgraded beyond 14.9 exposes the reflected XSS risk.", "description_and_impact": "The vulnerability is a reflected Cross\u2011Site Scripting flaw in the WordPress MediCenter \u2013 Health Medical Clinic theme that allows an attacker to inject malicious script into pages viewed by users. Because the theme fails to neutralize user\u2011supplied input before outputting it, an attacker can execute arbitrary JavaScript in the victim's browser, potentially exposing cookies, hijacking sessions, or delivering further malware. This weakness corresponds to CWE\u201179, Improper Neutralization of Input.", "risk_and_exploitability": "The issue carries a CVSS score of 7.1, indicating high severity. Its EPSS score is less than 1\u202f%, suggesting low but non\u2011zero probability of exploitation in the wild. The vulnerability is not currently listed in CISA\u2019s KEV catalog. The attack vector is inferred to be a crafted URL or form input that the theme displays without sanitization; a malicious link embedded in a post or widget could trigger the script when clicked by a user."}}}}, "created": "2026-03-06T15:08:07.579385+00:00", "updated": "2026-04-15T22:45:16.449498+00:00", "vendors": ["quanticalabs", "quanticalabs$PRODUCT$medicenter_-_health_medical_clinic", "wordpress", "wordpress$PRODUCT$wordpress"]}