CVE-2026-2431
Reflected XSS in CM Custom Reports Plugin Allows Script Injection
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cm_custom_reports | cm_custom_reports | to 1.2.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the CM Custom Reports plugin to a version later than 1.2.7 where the vulnerability is fixed, if available.
- If an update is not immediately available, restrict access to the affected report pages to trusted users only, for example by limiting access to the WordPress admin area or using firewall rules.
- Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'date_from' and 'date_to' parameters.
- Avoid clicking on suspicious links that include these parameters until the vulnerability is patched.
Can you explain this vulnerability to me?
The CM Custom Reports plugin for WordPress has a vulnerability known as Reflected Cross-Site Scripting (XSS) in versions up to and including 1.2.7. This vulnerability arises because the plugin does not properly sanitize or escape the 'date_from' and 'date_to' parameters used in its reports. As a result, an attacker who is not authenticated can inject malicious scripts into pages by tricking a user into clicking a specially crafted link. When the user interacts with the page, the injected script executes in their browser.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary scripts in the context of your website when users interact with maliciously crafted links. This can lead to theft of user credentials, session hijacking, defacement of the website, or redirection to malicious sites. Since the attack is reflected and requires user interaction, it can be used to target specific users or administrators, potentially compromising sensitive data or control over the WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the 'date_from' and 'date_to' parameters in the CM Custom Reports WordPress plugin for reflected Cross-Site Scripting (XSS). An unauthenticated attacker can inject arbitrary scripts via these parameters."}, {'type': 'paragraph', 'content': "To detect this on your system, you can attempt to send HTTP requests to the affected plugin's report page with crafted payloads in the 'date_from' and 'date_to' parameters and observe if the payload is reflected and executed in the response."}, {'type': 'list_item', 'content': 'Use curl or similar tools to send requests with XSS payloads, for example:'}, {'type': 'list_item', 'content': 'curl -G --data-urlencode "date_from=<script>alert(1)</script>" --data-urlencode "date_to=2026-01-01" https://yourwordpresssite.com/wp-admin/admin.php?page=cm-custom-reports&report=registered-users'}, {'type': 'list_item', 'content': 'Observe the response HTML for the presence of the injected script tags without proper escaping.'}, {'type': 'paragraph', 'content': "Additionally, monitoring web server logs for suspicious query parameters containing script tags or unusual characters in requests to the plugin's report pages can help detect exploitation attempts."}] [3]