CVE-2026-2432 in CM Custom Reports Plugin
Summary
by MITRE • 03/20/2026
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-2432 affects the CM Custom Reports plugin for WordPress, specifically targeting versions through 1.2.7. This represents a critical security flaw that exploits stored cross-site scripting mechanisms within the plugin's administrative settings functionality. The vulnerability arises from inadequate input sanitization measures and insufficient output escaping protocols that fail to properly validate or sanitize user-supplied data before it is processed and stored within the system's database. The flaw is particularly concerning because it requires only administrator-level privileges or higher to exploit, making it accessible to malicious actors who have already gained administrative access to a WordPress installation.
The technical implementation of this vulnerability stems from the plugin's failure to properly sanitize user input within its administrative configuration interfaces. When administrators configure report settings or input custom parameters, the plugin does not adequately filter or escape potentially malicious script content that could be embedded within these fields. This creates a persistent XSS vector where malicious scripts can be stored in the database and subsequently executed whenever any user accesses pages containing the compromised data. The vulnerability is further constrained by specific environmental requirements, as it only impacts multi-site WordPress installations and installations where the unfiltered_html capability has been disabled, limiting its exploitation surface but not eliminating the risk for affected environments.
The operational impact of this vulnerability is significant for organizations relying on WordPress for their content management infrastructure. Once exploited, the stored XSS attack can compromise any user who accesses pages containing the malicious script, potentially leading to session hijacking, credential theft, or further system compromise. The attack vector is particularly dangerous in multi-site environments where administrators may have varying levels of access and where the scope of potential impact extends across multiple sites within the same network. The requirement for administrator-level privileges means that the vulnerability could be leveraged by insiders or attackers who have successfully obtained administrative credentials, making it a critical concern for organizations with robust access control measures that are still vulnerable to credential compromise.
Organizations affected by this vulnerability should immediately implement several mitigation strategies to reduce the risk of exploitation. The most immediate and effective solution is to upgrade to the latest version of the CM Custom Reports plugin where the XSS vulnerability has been addressed through proper input sanitization and output escaping mechanisms. This upgrade process should be conducted with careful attention to backup procedures and testing to ensure that existing report configurations and data are preserved. Additionally, implementing network-level monitoring and intrusion detection systems can help identify potential exploitation attempts by monitoring for suspicious script injection patterns in web traffic. Security hardening measures should include regular security audits of installed plugins and themes, implementing strict access controls for administrative accounts, and establishing robust credential management practices to minimize the likelihood of unauthorized access that could enable exploitation of this vulnerability. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a typical example of how inadequate input validation can create persistent security risks in web applications. The ATT&CK framework categorizes this as a privilege escalation and persistence technique that leverages administrative access to establish long-term control over affected systems.