Attack Vectors

CVE-2026-2432 is a Medium severity (CVSS 4.4) stored cross-site scripting (XSS) issue affecting the WordPress plugin CM Custom Reports – Flexible reporting to track what matters most (slug: cm-custom-reports) in versions 1.2.7 and earlier. The attack path is through admin settings, where a user with administrator (or higher) permissions can insert a malicious script into a field (reported as plugin labels) that later renders in the WordPress admin or related pages.

This vulnerability is most relevant to organizations running WordPress multisite or environments where unfiltered_html has been disabled. In those setups, stored XSS payloads can persist and execute whenever an affected page is viewed—without requiring the viewer to click anything.

Security Weakness

The weakness stems from insufficient input sanitization and output escaping in the plugin’s settings handling. In practical terms, that means the plugin can accept and later display content that a browser interprets as executable script, rather than treating it strictly as text.

Because the injection is stored, the malicious content can remain in place until discovered and removed—turning a one-time change in settings into an ongoing risk, especially in multisite configurations where administration and management tasks are distributed across teams or business units.

Technical or Business Impacts

Even at a Medium severity rating, stored XSS in administrative contexts can create outsized business risk. Potential impacts include unauthorized actions performed in a logged-in user’s session, tampering with site configuration, or exposure of sensitive information visible within the admin interface. These outcomes can disrupt campaign operations, alter analytics/reporting views, and reduce confidence in executive dashboards.

For marketing and leadership stakeholders, the bigger concern is operational: an attacker with administrator-level access (including a compromised admin account) could use this as a persistence mechanism to interfere with workflows, redirect traffic, deface content, or undermine governance in a multisite environment. It can also complicate incident response and compliance reporting if malicious scripts were able to capture data from internal admin pages.

Remediation: Update CM Custom Reports – Flexible reporting to track what matters most to version 1.2.8 or newer, which includes a patch. Track the vulnerability record here: CVE-2026-2432. The source advisory is published by Wordfence: Wordfence vulnerability entry.

Similar Attacks

Stored XSS is a common web application weakness and has been used broadly to hijack sessions and perform unauthorized actions in trusted user contexts. For reference, here are well-known examples of XSS being leveraged at scale:

Samy MySpace worm (2005) — a classic case where XSS enabled rapid self-propagation across user profiles.

British Airways Magecart-style web skimming incident (2018) — illustrates how malicious scripts injected into web flows can capture sensitive data; while not identical to this plugin issue, it demonstrates the real-world business impact of script injection attacks.