[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fWCVDb1GDvnftCv4Hj0ufGEINVMLeX8qs8My0i12gBOg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2432","cm-custom-reports-authenticated-administrator-stored-cross-site-scripting-via-plugin-labels","CM Custom Reports \u003C= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels","The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cm-custom-reports",null,"\u003C=1.2.7","1.2.8","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-19 19:57:41","2026-03-20 08:26:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe642b5e1-62c1-4aa9-b579-6b2338227dd5?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2432 (CM Custom Reports)\n\n## 1. Vulnerability Summary\nThe **CM Custom Reports** plugin (versions \u003C= 1.2.7) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the plugin's \"Labels\" settings, which allow administrators to customize text strings used throughout the plugin's interface. Because the plugin fails to sanitize these inputs when saved to the database and fails to escape them when rendered back to the UI, an attacker with administrative privileges can inject arbitrary JavaScript. \n\nWhile administrators typically have the `unfiltered_html` capability, this vulnerability is significant in **WordPress Multisite** environments or installations where `DISALLOW_UNFILTERED_HTML` is defined, as it allows an administrator to bypass these security restrictions and execute scripts in the context of other users (including Super Admins).\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: Admin Settings Page (likely `admin.php?page=cmcr_settings` or similar).\n- **Vulnerable Tab**: \"Labels\" tab.\n- **Payload Carrier**: POST parameters corresponding to label fields (e.g., `cmcr_labels[some_label_key]`).\n- **Authentication**: Required (Administrator+).\n- **Preconditions**: `unfiltered_html` must be disabled for the user (e.g., via Multisite or configuration) to demonstrate a privilege escalation\u002Fsecurity bypass, though the vulnerability exists regardless.\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin registers a settings page using `add_submenu_page()` under the `cm-custom-reports` menu.\n2.  **Input Handling**: On the \"Labels\" tab, the plugin provides a form. When the form is submitted, a handler (likely hooked to `admin_init` or `admin_post`) processes the `$_POST` data.\n3.  **Persistence**: The handler likely iterates through the labels and saves them using `update_option()`. It fails to apply `sanitize_text_field()` or `wp_kses()` to the label values.\n4.  **Output**: When the settings page or a report page is loaded, the plugin retrieves the labels using `get_option()`.\n5.  **Sink**: The retrieved labels are echoed directly into the HTML without using `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nTo save settings, the plugin will require a WordPress nonce to prevent CSRF.\n\n1.  **Identify Page**: Navigate to the CM Custom Reports settings page. The slug is likely `cmcr_settings` or `cm-custom-reports-settings`.\n2.  **Access Page**: Use the `browser_navigate` tool to go to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=cmcr_settings`.\n3.  **Extract Nonce**: CM plugins typically wrap their settings in a form that includes a standard WordPress nonce field.\n4.  **JS Extraction**:\n    - Use `browser_eval` to find the nonce: \n      `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]')?.value\")`\n    - Also, check for specific CM localization objects:\n      `browser_eval(\"window.cmcr_settings?.nonce\")` (inferred)\n\n## 5. Exploitation Strategy\nThe goal is to store an XSS payload in a label and trigger it by viewing the settings page.\n\n### Step 1: Discover the Settings Form\nNavigate to the settings page and inspect the \"Labels\" tab to identify the exact POST keys.\n- **URL**: `\u002Fwp-admin\u002Fadmin.php?page=cmcr_settings` (inferred)\n- **Tool**: `browser_navigate`\n\n### Step 2: Submit XSS Payload\nSubmit a POST request to the settings handler. Based on CM plugin patterns, this is often a direct POST to the same settings page or `options.php`.\n\n- **Target URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=cmcr_settings`\n- **Method**: POST\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters (Inferred)**:\n    - `_wpnonce`: [Extracted Nonce]\n    - `action`: `update`\n    - `cmcr_labels[report_header]`: `\u003Cscript>alert(\"XSS_STORED\")\u003C\u002Fscript>`\n    - `save`: `Save Changes`\n\n### Step 3: Trigger Payload\nNavigate back to the settings page or any page where the labels are rendered.\n- **URL**: `\u002Fwp-admin\u002Fadmin.php?page=cmcr_settings`\n- **Tool**: `browser_navigate`\n\n## 6. Test Data Setup\n1.  **User**: Ensure an Administrator user exists.\n2.  **Hardening**: To prove the vulnerability's impact, disable `unfiltered_html` for the admin:\n    - `wp-config.php`: `define( 'DISALLOW_UNFILTERED_HTML', true );`\n3.  **Plugin State**: Ensure **CM Custom Reports** (\u003C= 1.2.7) is installed and activated.\n\n## 7. Expected Results\n- The HTTP response for the settings save should indicate a redirect (302) or success message.\n- Upon navigating to the settings page, an alert box with `XSS_STORED` should appear.\n- The page source should contain the literal string `\u003Cscript>alert(\"XSS_STORED\")\u003C\u002Fscript>`.\n\n## 8. Verification Steps\n1.  **Database Check**: Use WP-CLI to check the stored option:\n    `wp option get cmcr_labels` (inferred option name)\n    Verify that the output contains the raw `\u003Cscript>` tag.\n2.  **Source Check**: Verify the rendered output via the browser:\n    `browser_eval(\"document.body.innerHTML.includes('\u003Cscript>alert')\")`\n\n## 9. Alternative Approaches\n- **AJAX Handler**: If the plugin saves via AJAX, look for a `wp_ajax_cmcr_save_labels` action in the source code.\n- **Report Rendering**: If the XSS does not fire on the admin settings page, try viewing a generated report where the labels might be used as headers.\n- **Attribute Breakout**: If the payload is rendered inside an input value, use: `\">\u003Cscript>alert(1)\u003C\u002Fscript>` or `x\" onmouseover=\"alert(1)`.","The CM Custom Reports plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Labels' settings in versions up to 1.2.7. The plugin fails to sanitize user-inputted label text before saving it to the database and fails to escape the values when rendering them on the settings page, allowing administrators to execute arbitrary JavaScript in the context of other users.","\u002F\u002F Inferred from plugin architecture and research plan\n\u002F\u002F File: views\u002Fbackend\u002Fsettings.php\n\u002F\u002F Rendering the labels tab inputs\nforeach ($labels as $key => $value) {\n    echo '\u003Cinput type=\"text\" name=\"cmcr_labels[' . $key . ']\" value=\"' . $value . '\">';\n}\n\n---\n\n\u002F\u002F File: classes\u002FSettings.php\n\u002F\u002F Handling the settings save action\nif (isset($_POST['cmcr_labels'])) {\n    $labels = $_POST['cmcr_labels'];\n    update_option('cmcr_labels', $labels); \u002F\u002F Fails to sanitize array values\n}","--- a\u002Fclasses\u002FSettings.php\n+++ b\u002Fclasses\u002FSettings.php\n@@ -10,5 +10,5 @@\n if (isset($_POST['cmcr_labels'])) {\n-    $labels = $_POST['cmcr_labels'];\n+    $labels = array_map('sanitize_text_field', $_POST['cmcr_labels']);\n     update_option('cmcr_labels', $labels);\n }\n--- a\u002Fviews\u002Fbackend\u002Fsettings.php\n+++ b\u002Fviews\u002Fbackend\u002Fsettings.php\n@@ -5,3 +5,3 @@\n foreach ($labels as $key => $value) {\n-    echo '\u003Cinput type=\"text\" name=\"cmcr_labels[' . $key . ']\" value=\"' . $value . '\">';\n+    echo '\u003Cinput type=\"text\" name=\"cmcr_labels[' . esc_attr($key) . ']\" value=\"' . esc_attr($value) . '\">';\n }","The exploit targets the plugin's administrative settings interface where text labels can be customized. \n\n1. Authentication: The attacker must be logged in as a WordPress Administrator.\n2. Endpoint: Navigate to the CM Custom Reports settings page, specifically the 'Labels' tab (typically `admin.php?page=cmcr_settings`).\n3. Payload: Identify a text input field for a label (e.g., a report header or button text) and inject a script payload such as: `\u003Cscript>alert(document.cookie)\u003C\u002Fscript>` or `\">\u003Cscript>alert(1)\u003C\u002Fscript>`.\n4. Persistence: Submit the form. The plugin saves the raw payload into the `cmcr_labels` option in the `wp_options` table.\n5. Execution: The payload will execute whenever an administrator views the 'Labels' tab or whenever the plugin renders that specific label on the front-end or back-end, bypassing `unfiltered_html` restrictions in Multisite environments.","gemini-3-flash-preview","2026-04-18 02:15:55","2026-04-18 02:16:13",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcm-custom-reports\u002Ftags\u002F1.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcm-custom-reports.1.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcm-custom-reports\u002Ftags"]