Skip to main content

Astra Bulk Edit CVE-2026-32431

| EUVDEUVD-2026-11965 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11965
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Bulk Edit astra-bulk-edit allows DOM-Based XSS.This issue affects Astra Bulk Edit: from n/a through <= 1.2.10.

AnalysisAI

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Brainstorm Force Astra Bulk Edit WordPress plugin through version 1.2.10, allowing authenticated attackers to inject malicious scripts that execute in the context of other users' browsers. An attacker with low-privilege account access (e.g., contributor or editor role) can craft malicious input that, when processed by the bulk edit functionality, results in arbitrary JavaScript execution affecting site administrators and other users. The vulnerability requires user interaction (UI:R) but can affect multiple users across the site due to its stored/DOM-based nature, making it a persistent attack vector for privilege escalation or data exfiltration.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically manifesting as DOM-based XSS. DOM-based XSS occurs when client-side JavaScript code processes user-controlled input unsafely, using methods like innerHTML, eval(), or similar DOM manipulation without proper sanitization or encoding. In the Astra Bulk Edit plugin (CPE: cpe:2.3:a:brainstorm_force:astra_bulk_edit), the bulk edit functionality likely accepts user input through form fields or AJAX requests and reflects this data directly into the DOM without adequate output encoding or Content Security Policy (CSP) protections. The vulnerability affects the plugin's ability to safely handle form inputs during batch editing operations, a common attack surface in administrative interfaces where multiple data fields are processed simultaneously.

RemediationAI

Immediately upgrade the Astra Bulk Edit plugin to a patched version released after 1.2.10 via the WordPress admin dashboard (Plugins > Updates) or by downloading the latest version from the official WordPress plugin repository. Verify the upgrade completed successfully and review the plugin changelog to confirm XSS protections were implemented. As a temporary measure pending patch availability, site administrators should restrict bulk edit functionality to trusted administrator accounts only by using role management plugins or disabling bulk edit capabilities for lower-privilege users. Additionally, implement a Content Security Policy (CSP) header with script-src restrictions and enable WordPress security hardening plugins that provide input validation and output encoding protections. Monitor for any suspicious activity in audit logs correlating with bulk edit operations, as DOM-based XSS in administrative interfaces may indicate compromise of editor or contributor accounts.

Share

CVE-2026-32431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy