anonhaven
Ad

CVE-2026-2432

MEDIUM CVSS 3.1: 4.4
Updated Mar 20, 2026
WordPress
Parameter Value
CVSS 4.4 (MEDIUM)
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor WordPress
Public PoC No

The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products

creativemindssolutions:cm custom reports – flexible reporting to track what matters most

References 4

https://www.wordfence.com/threat-intel/vulnerabilities/id/e642b5e1-62c1-4aa9-b5…
NVD
https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/clas…
NVD
https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend…
NVD
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&ol…
NVD
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3550

WordPress

5.3

CVE-2026-2421

WordPress

6.5

CVE-2026-4136

WordPress

4.3

CVE-2026-4038

WordPress

9.8

CVE-2026-3658

WordPress

7.5