anonhaven
Ad

CVE-2026-2431

MEDIUM CVSS 3.1: 6.1 EPSS 0.06%
Updated Mar 07, 2026
WordPress
Parameter Value
CVSS 6.1 (MEDIUM)
Type CWE-79 (Cross-Site Scripting (XSS) (Межсайтовый скриптинг))
Vendor WordPress
Public PoC No

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
None
Права не нужны
User Interaction
Required
Нужно действие пользователя

Impact Assessment

Confidentiality
Low
Частичная утечка данных
Integrity
Low
Частичная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS) (Межсайтовый скриптинг)

References 3

https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/repo…
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e9b918e1-9bf7-4f90-9e…
security@wordfence.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-2433

WordPress

6.1

CVE-2026-2420

WordPress

4.4

CVE-2026-1825

WordPress

6.4

CVE-2026-1824

WordPress

6.4

CVE-2026-1823

WordPress

6.4