← Back
2026-03-07 1:21CVE-2026-2431Wordfence
PUBLISHED5.2CWE-79

CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Problem type

Affected products

creativemindssolutions

CM Custom Reports – Flexible reporting to track what matters most

<= 1.2.7 - AFFECTED

References

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/e9b918e1-9bf7-4f90-9e77-829bc8012cbb?source=cve

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/reports/RegisteredUsersReport.php#L19

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend/reports/RegisteredUsersReport.php#L19

GitHub Security Advisories

GHSA-rqr7-rcfx-2vqw

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via...

https://github.com/advisories/GHSA-rqr7-rcfx-2vqw

The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-2431

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend/reports/RegisteredUsersReport.php#L19

plugins.trac.wordpress.org

https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/reports/RegisteredUsersReport.php#L19

wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/e9b918e1-9bf7-4f90-9e77-829bc8012cbb?source=cve

github.com

https://github.com/advisories/GHSA-rqr7-rcfx-2vqw

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-2431
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-2431",
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "dateUpdated": "2026-03-07T01:21:24.513Z",
    "dateReserved": "2026-02-12T21:16:00.969Z",
    "datePublished": "2026-03-07T01:21:24.513Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence",
        "dateUpdated": "2026-03-07T01:21:24.513Z"
      },
      "title": "CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters",
      "descriptions": [
        {
          "lang": "en",
          "value": "The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
        }
      ],
      "affected": [
        {
          "vendor": "creativemindssolutions",
          "product": "CM Custom Reports – Flexible reporting to track what matters most",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "*",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "1.2.7"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9b918e1-9bf7-4f90-9e77-829bc8012cbb?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/reports/RegisteredUsersReport.php#L19"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend/reports/RegisteredUsersReport.php#L19"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-02-12T21:31:08.000Z",
          "lang": "en",
          "value": "Vendor Notified"
        },
        {
          "time": "2026-03-06T11:33:43.000Z",
          "lang": "en",
          "value": "Disclosed"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "san6051",
          "type": "finder"
        }
      ]
    }
  }
}