CVE-2026-27382
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOM-Based XSS vulnerability in WordPress Metro theme up to 2.13 allows attackers to inject malicious scripts via crafted input.
The vulnerability is a DOM-Based Cross-Site Scripting (XSS) issue in the Metro theme for WordPress, affecting versions up to and including 2.13. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript that executes in the context of the victim's browser [1].
Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The attacker does not need authentication, but the victim must perform an action for the payload to execute. This makes it suitable for mass-exploit campaigns targeting thousands of websites [1].
Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute when visitors access the compromised site, potentially leading to data theft, defacement, or further attacks [1].
Mitigation is available by updating the Metro theme to a patched version. For users unable to update immediately, Patchstack has issued a mitigation rule to block attacks until an official patch can be applied [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.