Attack Vectors

CM Custom Reports – Flexible reporting to track what matters most (slug: cm-custom-reports) has a Medium-severity vulnerability (CVSS 6.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) identified as CVE-2026-2431. It is a Reflected Cross-Site Scripting (XSS) issue affecting versions up to and including 1.2.7.

The primary attack path is simple and business-relevant: an unauthenticated attacker crafts a link that includes malicious input in the date_from and/or date_to parameters. The attacker then relies on social engineering—for example, sending the link via email, direct message, or a convincing internal-looking request—to get a staff member to click it.

Because the exploit requires user interaction (the victim needs to click or otherwise load the link), campaigns often target roles with access to dashboards, analytics, or administrative tooling—such as marketing directors, executives, finance, or compliance—where the resulting impact can be more meaningful.

Security Weakness

The weakness is rooted in insufficient input sanitization and output escaping for the date_from and date_to parameters. In plain terms: the plugin does not reliably treat these inputs as untrusted, and it can reflect them back into a page in a way that allows attacker-supplied script to run in the victim’s browser.

This is a classic web-application risk pattern: when data from a URL parameter is displayed on a page without proper handling, it can be used to run unwanted actions under the victim’s session context. In this case, the vulnerability is specifically reflected (delivered via a crafted request), rather than being stored long-term on the site.

Remediation is straightforward: update CM Custom Reports to version 1.2.8 or newer, which addresses the issue.

Technical or Business Impacts

Even at Medium severity, reflected XSS can create outsized business risk because it targets people, not just systems. If a marketing director, executive, or finance/compliance user clicks a malicious link, the attacker’s script may run in their browser in the context of your site—potentially enabling actions the user is authorized to perform.

From a business perspective, likely impacts include account or session misuse, unauthorized changes initiated through the victim’s access, and exposure of information visible in the user’s session. The CVSS vector indicates low attack complexity, no privileges required for the attacker, and user interaction required, with potential confidentiality and integrity impacts (C:L/I:L) but not availability (A:N).

For leadership and compliance teams, the practical risk is reputational and operational: fraudulent activity performed under legitimate user access can complicate investigations, increase incident response costs, and introduce reporting and governance concerns—especially if the targeted user has access to business reporting or administrative functions.

Similar Attacks

Reflected XSS and related web-injection flaws have been used in real-world incidents to target organizations through user clicks and browser-based execution. Examples include:

Magecart-style web skimming campaigns that inject scripts into web pages to capture sensitive data and undermine customer trust.

Cross-site scripting (XSS) attack overviews and real-world usage patterns highlighting how attackers leverage script injection for session abuse and user-driven compromise.

OWASP: XSS attack guidance describing common business impacts and why user-targeted delivery remains effective.