Stored Cross-Site Scripting Vulnerability in Custom New User Notification Plugin for WordPress
CVE-2026-3551

4.4MEDIUM

Key Information:

Vendor

WordPress
Status
Custom New User Notification
Vendor
CVE Published:
16 April 2026

What is CVE-2026-3551?

The Custom New User Notification plugin for WordPress suffers from a stored cross-site scripting vulnerability stemming from inadequate input sanitization and output escaping in its admin settings. This flaw allows authenticated users with Administrator-level access to inject malicious scripts into the plugin’s settings page. Specifically, critical fields like 'User Mail Subject', 'User From Name', and others are registered without proper sanitization callbacks. As a result, when an admin accesses the settings page, the injected scripts can execute, potentially leading to unauthorized actions in multisite installations where sub-site administrators can target super admins.

Affected Version(s)

Custom New User Notification 0 <= 1.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/custom-new-use...
https://plugins.trac.wordpress.org/browser/custom-new-use...

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Nur Ibnu Hubab
.