CVE-2026-39548: WordPress MagOne theme <= 9.0 - Reflected Cross Site Scripting (XSS) vulnerability

Synopsis

Reflected cross-site scripting (XSS) vulnerability affects the MagOne WordPress theme by Sneeit in versions 9.0 and earlier. An unauthenticated attacker can deliver a malicious link to a victim over the network, and when the victim clicks it, the attacker's script executes inside the victim's browser session on the affected site. Successful exploitation lets an attacker read browser-accessible data such as session cookies, inject content into the page, and trigger minor disruption of the user's experience. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must be able to deliver a crafted URL to a victim who accesses the affected site over the network, making the service's public exposure a prerequisite.

• AuthenticationNot required

  No account or credentials are needed; the attack is carried out by any unauthenticated party who can send a link to a victim.

• Victim interactionRequired

  The victim must click or otherwise load the attacker-crafted URL, making social engineering or phishing a necessary step in the attack chain.

• Attack complexityDetail

  Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental factors to succeed.

Blast Radius

• Attacker script runs in the victim's browser session and can read session cookies or authentication tokens accessible to JavaScript on that origin.
• Injected script can modify page content seen by the victim, enabling phishing overlays or redirection to attacker-controlled sites.
• Browser-stored credentials or form data visible to the page context can be exfiltrated to an external endpoint.
• The affected page's functionality can be disrupted for the targeted user during the attack session.