CVE-2026-32521

Vulnerability

Overview

The WP Custom Admin Interface plugin for WordPress, versions up to and including 7.42, contains a DOM-based Cross-Site Scripting (XSS) vulnerability [1]. The root cause is improper neutralization of user input during web page generation, which allows an attacker to inject arbitrary JavaScript into the admin interface [1].

Exploitation

Details

Exploitation requires user interaction — a victim with the necessary privileges must click a malicious link, visit a crafted page, or submit a specially crafted form [1]. The attack is DOM-based, meaning the payload executes within the browser's DOM environment without requiring server-side reflection [1]. This vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

A successful attack allows a malicious actor to inject scripts that can perform actions such as redirecting users, displaying advertisements, or injecting other HTML payloads [1]. These scripts execute when other users (including site visitors) access the affected admin interface, potentially leading to session hijacking, defacement, or further compromise [1].

Mitigation

The vulnerability has been patched in version 7.43 of the plugin [1]. Users are strongly advised to update immediately. If updating is not possible, a mitigation rule from Patchstack can block attacks until the update is applied [1].