CVE-2026-32424

Vulnerability

Overview

The Sprout Clients WordPress plugin versions up to and including 3.2.2 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with sufficient privileges to inject malicious scripts into the application's data, which are then stored and later executed in the context of other users' browsers when they view the affected pages.

Exploitation

Prerequisites

Exploitation requires a user with at least contributor-level access to the WordPress site, as the vulnerable input fields are part of the plugin's client management interface [1]. The attacker must be able to save crafted payloads that bypass input sanitization. No direct user interaction from the victim is needed beyond visiting the page where the injected script is rendered, making this a stored XSS scenario.

Impact

A successful attack allows the malicious actor to execute arbitrary JavaScript in the browsers of site visitors and administrators. This can be leveraged to steal session cookies, redirect users to phishing sites, display unauthorized advertisements, or deface the website [1]. The CVSS description]. The CVSS v3 base score of 6.5 (Medium) reflects the need for authenticated access but the potential for significant impact on confidentiality and integrity.

Mitigation

The vulnerability is patched in version 3.2.3 of the Sprout Clients plugin [1]. Users are strongly advised to update immediately. For sites where immediate update is not possible, applying a web application firewall rule that blocks common XSS payloads in plugin-specific fields can serve as a temporary workaround. The vendor has not reported active exploitation in the wild, but given the plugin's use in mass-exploit campaigns, prompt remediation is recommended.