WordPress KeepInMind Plugin Flaw Lets Contributors Hijack Admin Sessions

If you run the KeepInMind – Dashboard Notes plugin on your WordPress site, pay attention. Version 0.8.4.2 and below carry a stored XSS vulnerability rated CVSS 9.0 — critical.

Tracked as CVE-2026-9271, the flaw lets authenticated attackers with Contributor-level privileges or higher inject malicious HTML and CSS through the plugin’s note-saving REST endpoint. The wp_kses sanitization filter doesn’t properly restrict dangerous CSS properties.

Here’s the attack scenario. A Contributor creates a dashboard note containing a full-screen overlay using position: fixed, z-index, and viewport units. When an Administrator visits the dashboard, that overlay renders across the entire screen. It can spoof a convincing “Session Expired” login prompt. If the admin types their credentials, they’re sent to the attacker.

That’s full admin account takeover from a Contributor account. Researcher Pavan N discovered and disclosed the vulnerability on June 12, 2026.

The fixed version is 0.8.4.3. Update your plugin.

References