CVE-2026-2432 is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-79, found in the CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress. This vulnerability exists in all plugin versions up to and including 1.2.7 due to insufficient input sanitization and output escaping in the plugin's admin settings interface. The flaw allows authenticated attackers with administrator-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. These malicious scripts execute whenever any user accesses the compromised page, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. The CVSS v3.1 base score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, and requiring high privileges but no user interaction. No public exploits have been reported yet, and no official patches are linked, indicating the need for manual mitigation or vendor updates. The vulnerability's impact is primarily on confidentiality and integrity, as attackers can execute scripts that may steal sensitive data or manipulate site content.

The vulnerability poses a moderate risk to organizations using the affected WordPress plugin in multi-site environments or with unfiltered_html disabled. Attackers with administrator privileges can inject persistent malicious scripts, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions within the WordPress dashboard. While the attack requires high privileges, the impact on confidentiality and integrity can be significant if exploited, especially in environments with multiple administrators or users accessing the injected pages. The vulnerability does not affect availability, so denial of service is unlikely. Organizations relying on this plugin for reporting may face reputational damage and data integrity issues if exploited. Since no known exploits are currently in the wild, the risk is somewhat mitigated, but the presence of the vulnerability necessitates prompt remediation to prevent future attacks.

To mitigate CVE-2026-2432, organizations should first check if they are running multi-site WordPress installations or have unfiltered_html disabled, as single-site installations with unfiltered_html enabled are not affected. Immediate steps include restricting administrator access to trusted personnel only, minimizing the number of users with high privileges. Until an official patch is released, consider disabling or uninstalling the CM Custom Reports plugin to eliminate the attack surface. If disabling is not feasible, implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts in admin settings. Regularly audit and sanitize all inputs in the plugin’s admin interface manually if possible. Monitor logs for unusual administrator activity or unexpected script injections. Stay updated with vendor announcements for patches and apply them promptly once available. Additionally, educate administrators on the risks of stored XSS and enforce strong authentication and session management practices to reduce exploitation impact.