Skip to main content

Wp Custom Admin Interface CVE-2026-32521

| EUVDEUVD-2026-15885 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-qchc-j443-vmp6
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15885
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows DOM-Based XSS.This issue affects WP Custom Admin Interface: from n/a through <= 7.42.

AnalysisAI

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Northern Beaches Websites WP Custom Admin Interface WordPress plugin through version 7.42, allowing attackers to inject and execute arbitrary JavaScript code in users' browsers. This vulnerability affects all installations of the plugin up to and including version 7.42, enabling attackers to steal session cookies, perform unauthorized actions on behalf of authenticated administrators, or redirect users to malicious sites. While no CVSS score or EPSS probability has been published, the DOM-based XSS classification (CWE-79) combined with the plugin's administrative scope indicates a high-severity risk requiring immediate patching.

Technical ContextAI

DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs when untrusted user input is processed and reflected in the Document Object Model without proper sanitization or encoding. The WP Custom Admin Interface plugin (identified via CPE cpe:2.3:a:northern_beaches_websites:wp_custom_admin_interface) processes user-supplied data that is dynamically injected into the DOM, allowing malicious scripts to execute in the context of the WordPress admin interface. Unlike reflected or stored XSS, DOM-based variants execute entirely on the client-side, making them harder to detect via server-side logging but equally dangerous when targeting privileged WordPress administrators who manage site content and user accounts.

RemediationAI

Immediately upgrade the WP Custom Admin Interface plugin to a version newer than 7.42 (check the vendor advisory and WordPress plugin repository for the patched version release). Access the WordPress dashboard, navigate to Plugins > Installed Plugins, locate WP Custom Admin Interface, and click 'Update Now' once a patched version becomes available. Until patching is feasible, restrict administrative access by limiting WordPress admin dashboard access via IP whitelisting, enforcing strong authentication via multi-factor authentication (MFA), and educating administrators to avoid clicking suspicious links in emails or chat. Monitor plugin and WordPress core security advisories regularly via the Patchstack vulnerability database (https://patchstack.com) or the official WordPress plugin repository for timely patch notifications.

Share

CVE-2026-32521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy