[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftBJn_WVSR4KyoLZ5CdD-rkNyi1irsxyrrBalBU0hKtE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32521","wp-custom-admin-interface-authenticated-subscriber-stored-cross-site-scripting","WP Custom Admin Interface \u003C= 7.42 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The WP Custom Admin Interface plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 7.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wp-custom-admin-interface",null,"\u003C=7.42","7.43","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-20 00:00:00","2026-03-26 20:38:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff528e0bd-ab4b-4d0b-b133-90bd1312479f?source=api-prod",7,[22,23,24],"inc\u002Foptions\u002Foptions-output.php","readme.txt","wp-custom-admin-interface.php","researched",false,3,"This plan outlines the research and exploitation process for CVE-2026-32521, a Stored Cross-Site Scripting (XSS) vulnerability in the \"WP Custom Admin Interface\" plugin.\n\n### 1. Vulnerability Summary\nThe **WP Custom Admin Interface** plugin (\u003C= 7.42) is vulnerable to Stored XSS because it fails to perform capability checks on its AJAX settings-saving functionality and does not adequately sanitize or escape administrative settings that are rendered in the WordPress dashboard. Specifically, a low-privileged user (Subscriber) can trigger an AJAX action intended for administrators to update plugin settings, such as the \"Custom Footer\" text. This text is then rendered unescaped in the footer of every admin page, allowing for execution of arbitrary JavaScript in the context of an Administrator.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `wp_custom_admin_interface_save_settings` (inferred from plugin patterns)\n*   **Vulnerable Parameter:** `data` (specifically the sub-field `wp_custom_admin_interface_custom_footer`)\n*   **Authentication Level:** Subscriber or higher (requires access to `\u002Fwp-admin\u002Fprofile.php` to obtain a nonce).\n*   **Preconditions:** The plugin must be active. No specific configuration is required, as the \"Custom Footer\" feature is a core part of the plugin.\n\n### 3. Code Flow\n1.  **Registration:** In `wp-custom-admin-interface.php`, the plugin hooks into `admin_init` which calls `wp_custom_admin_interface_settings_init` (defined in `inc\u002Foptions\u002Foptions-output.php`).\n2.  **AJAX Handler:** The plugin registers a handler (e.g., `wp_ajax_wp_custom_admin_interface_save_settings`). This handler verifies a nonce but lacks a `current_user_can('manage_options')` check.\n3.  **Storage:** The handler receives the `data` parameter (often a serialized string of form inputs) and uses `update_option()` to save the `wp_custom_admin_interface_settings_GeneralSettings` option.\n4.  **Sink:** The value of `wp_custom_admin_interface_custom_footer` within that option is retrieved and echoed in the admin footer via the `admin_footer_text` or `update_footer` filter, without using `esc_html()` or `wp_kses()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin enqueues its administrative scripts and localizes a nonce for AJAX operations. Even Subscribers can access the WordPress dashboard (specifically `profile.php`), where these scripts are loaded.\n\n1.  **Navigate:** Use `browser_navigate` to go to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fprofile.php` as a Subscriber.\n2.  **Extract Nonce:** The nonce is stored in a localized JavaScript object. Use `browser_eval` to retrieve it:\n    ```javascript\n    \u002F\u002F Inferred localized object and key name based on plugin structure\n    window.wp_custom_admin_interface_ajax_obj?.nonce\n    ```\n    *Note: If the variable name differs, inspect the page source for `wp_localize_script` output or search for \"nonce\" in the global window object.*\n\n### 5. Exploitation Strategy\n1.  **Preparation:** Log in as a Subscriber user.\n2.  **Nonce Retrieval:** Obtain the `security` nonce using the strategy in Section 4.\n3.  **Injection Request:** Send a POST request to `admin-ajax.php` to update the general settings.\n    *   **Tool:** `http_request`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters:**\n        *   `action`: `wp_custom_admin_interface_save_settings`\n        *   `security`: `[EXTRACTED_NONCE]`\n        *   `data`: `wp_custom_admin_interface_settings_GeneralSettings%5Bwp_custom_admin_interface_custom_footer%5D%3D%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E`\n        *(Note: The 'data' parameter is often a URL-encoded string representing the serialized form.)*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure WP Custom Admin Interface v7.42 is installed and active.\n2.  **Create User:** Create a Subscriber user.\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    ```\n3.  **Target Page:** No specific page creation is needed, as the footer injection affects all admin pages.\n\n### 7. Expected Results\n*   The AJAX request should return a success status (likely `1` or a JSON success message).\n*   The WordPress option `wp_custom_admin_interface_settings_GeneralSettings` will now contain the `\u003Cscript>` payload.\n*   When any user (including an Administrator) navigates to any page in the `\u002Fwp-admin\u002F` area, an alert box showing the document domain will appear.\n\n### 8. Verification Steps\n1.  **Check Database:** Verify the option was updated using WP-CLI:\n    ```bash\n    wp option get wp_custom_admin_interface_settings_GeneralSettings\n    ```\n    Confirm that the `wp_custom_admin_interface_custom_footer` key contains the `\u003Cscript>` tag.\n2.  **Verify Rendering:** Navigate to the dashboard as an Administrator and check the HTML source for the footer:\n    ```bash\n    # Using browser_navigate as Admin then checking source\n    # Look for: \u003Cscript>alert(document.domain)\u003C\u002Fscript>\n    ```\n\n### 9. Alternative Approaches\nIf `wp_custom_admin_interface_save_settings` is not the correct action name:\n1.  Search the source code for `add_action( 'wp_ajax_` to identify the specific save handler.\n2.  Try injecting into other fields registered in `inc\u002Foptions\u002Foptions-output.php`, such as:\n    *   `wp_custom_admin_interface_custom_css_code` (Custom Code section)\n    *   `wp_custom_admin_interface_maintenance_text` (Maintenance section)\n3.  If the `data` parameter isn't a serialized string, try sending the settings as direct POST parameters:\n    `action=wp_custom_admin_interface_save_settings&security=[NONCE]&wp_custom_admin_interface_custom_footer=\u003Cscript>alert(1)\u003C\u002Fscript>`","The WP Custom Admin Interface plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to a lack of authorization checks on its AJAX settings-saving functionality and insufficient escaping on administrative settings. Authenticated attackers with subscriber-level access can inject arbitrary scripts into plugin options, such as the custom footer or user-related fields, which then execute in the context of higher-privileged users browsing the admin dashboard.","\u002F\u002F inc\u002Foptions\u002Foptions-output.php line 1982\n                echo '\u003Cli class=\"user-item\">\u003Cdiv>\u003Ci class=\"fa fa-eye-slash remove-user-item\" title=\"Hide user\" aria-hidden=\"true\">\u003C\u002Fi>\u003Cspan id=\"user-name\" style=\"font-weight: bold;\" data=\"'.$userId.'\">'.$userDisplayName.' \u003Cem style=\"font-weight: normal;\">('.$userRole.')\u003C\u002Fem>\u003C\u002Fspan>\u003C\u002Fdiv>\u003C\u002Fli>';\n\n---\n\n\u002F\u002F wp-custom-admin-interface.php line 1880\n        $outputOfUsersAndRolesSelection .= 'User: '.$userDisplayName.'('.$userId.'),';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.42\u002Finc\u002Foptions\u002Foptions-output.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.43\u002Finc\u002Foptions\u002Foptions-output.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.42\u002Finc\u002Foptions\u002Foptions-output.php\t2026-01-19 21:25:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.43\u002Finc\u002Foptions\u002Foptions-output.php\t2026-02-10 22:23:20.000000000 +0000\n@@ -1979,7 +1979,7 @@\n                 \n                 \n                 \n-                echo '\u003Cli class=\"user-item\">\u003Cdiv>\u003Ci class=\"fa fa-eye-slash remove-user-item\" title=\"Hide user\" aria-hidden=\"true\">\u003C\u002Fi>\u003Cspan id=\"user-name\" style=\"font-weight: bold;\" data=\"'.$userId.'\">'.$userDisplayName.' \u003Cem style=\"font-weight: normal;\">('.$userRole.')\u003C\u002Fem>\u003C\u002Fspan>\u003C\u002Fdiv>\u003C\u002Fli>';  \n+                echo '\u003Cli class=\"user-item\">\u003Cdiv>\u003Ci class=\"fa fa-eye-slash remove-user-item\" title=\"Hide user\" aria-hidden=\"true\">\u003C\u002Fi>\u003Cspan id=\"user-name\" style=\"font-weight: bold;\" data=\"'.esc_attr($userId).'\">'.esc_html($userDisplayName).' \u003Cem style=\"font-weight: normal;\">('.esc_html($userRole).')\u003C\u002Fem>\u003C\u002Fspan>\u003C\u002Fdiv>\u003C\u002Fli>';  \n \n             }\n             \u002F\u002Fend container\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.42\u002Fwp-custom-admin-interface.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.43\u002Fwp-custom-admin-interface.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.42\u002Fwp-custom-admin-interface.php\t2026-01-19 21:25:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-custom-admin-interface\u002F7.43\u002Fwp-custom-admin-interface.php\t2026-02-10 22:23:20.000000000 +0000\n@@ -1877,8 +1877,7 @@\n             $userDisplayName = $userFirstName.' '.$userLastName;\n         }\n \n-\n-        $outputOfUsersAndRolesSelection .= 'User: '.$userDisplayName.'('.$userId.'),';\n+        $outputOfUsersAndRolesSelection .= 'User: '.esc_html($userDisplayName).'('.intval($userId).'),';","The exploit involves two main steps: acquiring a valid nonce and then performing a CSRF-like AJAX request to update settings. \n\n1. Log in to the WordPress site as a Subscriber-level user.\n2. Navigate to `\u002Fwp-admin\u002Fprofile.php` and extract the AJAX nonce from the localized script object (e.g., `wp_custom_admin_interface_ajax_obj.nonce`).\n3. Construct a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using the action `wp_custom_admin_interface_save_settings`.\n4. In the `data` parameter, provide a payload that targets settings like `wp_custom_admin_interface_custom_footer` containing a malicious `\u003Cscript>` tag.\n5. Because the plugin lacks a capability check (`current_user_can('manage_options')`) in its save handler, the settings are updated. \n6. The payload will execute whenever an administrator logs in and views any page in the WordPress dashboard where the custom footer or other modified settings are rendered.","gemini-3-flash-preview","2026-04-18 01:47:48","2026-04-18 01:48:17",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","7.42","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-custom-admin-interface\u002Ftags\u002F7.42","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-custom-admin-interface.7.42.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-custom-admin-interface\u002Ftags\u002F7.43","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-custom-admin-interface.7.43.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-custom-admin-interface\u002Ftags"]