Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows DOM-Based XSS.This issue affects WP Custom Admin Interface: from n/a through <= 7.42.
AnalysisAI
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Northern Beaches Websites WP Custom Admin Interface WordPress plugin through version 7.42, allowing attackers to inject and execute arbitrary JavaScript code in users' browsers. This vulnerability affects all installations of the plugin up to and including version 7.42, enabling attackers to steal session cookies, perform unauthorized actions on behalf of authenticated administrators, or redirect users to malicious sites. While no CVSS score or EPSS probability has been published, the DOM-based XSS classification (CWE-79) combined with the plugin's administrative scope indicates a high-severity risk requiring immediate patching.
Technical ContextAI
DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs when untrusted user input is processed and reflected in the Document Object Model without proper sanitization or encoding. The WP Custom Admin Interface plugin (identified via CPE cpe:2.3:a:northern_beaches_websites:wp_custom_admin_interface) processes user-supplied data that is dynamically injected into the DOM, allowing malicious scripts to execute in the context of the WordPress admin interface. Unlike reflected or stored XSS, DOM-based variants execute entirely on the client-side, making them harder to detect via server-side logging but equally dangerous when targeting privileged WordPress administrators who manage site content and user accounts.
RemediationAI
Immediately upgrade the WP Custom Admin Interface plugin to a version newer than 7.42 (check the vendor advisory and WordPress plugin repository for the patched version release). Access the WordPress dashboard, navigate to Plugins > Installed Plugins, locate WP Custom Admin Interface, and click 'Update Now' once a patched version becomes available. Until patching is feasible, restrict administrative access by limiting WordPress admin dashboard access via IP whitelisting, enforcing strong authentication via multi-factor authentication (MFA), and educating administrators to avoid clicking suspicious links in emails or chat. Monitor plugin and WordPress core security advisories regularly via the Patchstack vulnerability database (https://patchstack.com) or the official WordPress plugin repository for timely patch notifications.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15885
GHSA-qchc-j443-vmp6