CVE-2026-9271
Description
KeepInMind Dashboard Notes plugin ≤0.8.2.9 has stored XSS allowing contributors to take over admin accounts when admin views dashboard.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KeepInMind Dashboard Notes plugin ≤0.8.2.9 has stored XSS allowing contributors to take over admin accounts when admin views dashboard.
Vulnerability
The KeepInMind - Dashboard Notes plugin for WordPress versions 0.8.2.9 and below is vulnerable to Stored Cross-Site Scripting (XSS) via the REST API. The plugin fails to sufficiently sanitize the content parameter when saving notes, specifically allowing the style attribute and dangerous CSS properties such as position: fixed, z-index, and viewport units (vw/vh). This enables an authenticated user with a low-privileged role (e.g., Contributor, if enabled in plugin settings) to inject a malicious payload into a note [1].
Exploitation
An attacker with Contributor-level access (or higher) can craft a note containing malicious CSS and JavaScript. When an Administrator views the dashboard, the payload executes in the context of the admin's browser. The attacker uses CSS to overlay a high-fidelity, fake "Session Expired" re-authentication prompt over the entire UI. If the admin enters their credentials, they are exfiltrated to an attacker-controlled external server [1].
Impact
Successful exploitation leads to Administrative Account Takeover (ATO), allowing the attacker to gain full administrative privileges. This represents a complete breach of the security boundary between user roles (Vertical Privilege Escalation). Additionally, the XSS is persistent and can cause persistent Denial of Service (DoS) by modifying the dashboard [1].
Mitigation
The vulnerability is fixed in version 0.8.4.2 of the KeepInMind - Dashboard Notes plugin. Users should update to this version or later immediately. No workarounds are provided in the available references [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient sanitization of the `content` parameter via `wp_kses` allows dangerous CSS properties, enabling Stored XSS through UI redressing."
Attack vector
An authenticated user with a low-privileged role (e.g., Contributor, if enabled in plugin settings) injects a malicious CSS payload into a note via the REST API [ref_id=1]. When an Administrator views the dashboard, the payload executes in their browser, using CSS to overlay a fake "Session Expired" re-authentication prompt that redresses the entire UI. The victim is tricked into entering their credentials, which are exfiltrated to an attacker-controlled external server, leading to Administrative Account Takeover (ATO) [CWE-79].
Affected code
The KeepInMind - Dashboard Notes plugin (versions 0.8.2.9 and below) fails to sanitize the `content` parameter when saving notes via the REST API. The plugin's use of `wp_kses` allows the `style` attribute and dangerous CSS properties such as `position: fixed`, `z-index`, and viewport units (`vw`/`vh`).
What the fix does
The advisory states the vulnerability is fixed in version 0.8.4.2 but does not include a patch diff. The fix likely involves stricter sanitization of the `content` parameter, either by removing the `style` attribute entirely or by restricting allowed CSS properties to prevent UI redressing. Without the patch, the exact remediation cannot be confirmed.
Preconditions
- configThe plugin must have the Contributor role enabled for note creation in its settings.
- authThe attacker must be authenticated with at least a Contributor-level account.
- inputAn Administrator must view the dashboard page where the malicious note is rendered.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.