CVE-2026-4267

Name of the Vulnerable Software and Affected Versions Query Monitor versions prior to 3.20.4

Description The Query Monitor plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages that execute if a user is tricked into performing an action, such as clicking a link. The issue stems from the plugin reading user-controlled data from the $ SERVER['REQUEST URI'] parameter and rendering it without proper HTML escaping. Specifically, the format url() function returns the attacker-supplied string without escaping if it does not contain an ampersand (&), allowing injected HTML or JavaScript to be inserted directly into the page. The vulnerable parameter is $ SERVER['REQUEST URI'].

Recommendations Update to Query Monitor version 3.20.4 or later.