CVE-2026-3368

Name of the Vulnerable Software and Affected Versions Injection Guard versions up to and including 1.2.9

Description The Injection Guard plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and missing output escaping. The issue stems from insufficient sanitization in the sanitize ig data() function, which only sanitizes array values and not array keys. Additionally, the ig settings.php template lacks output escaping when rendering stored parameter keys directly into HTML. The plugin captures the query string via $ SERVER['QUERY STRING'], applies esc url raw(), and then uses parse str() which URL-decodes the string. This process can result in decoded HTML/JavaScript in the array keys, which are then stored via update option('ig requests log') and rendered on the admin log page without proper escaping. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Injection Guard log interface.

Recommendations Update Injection Guard to a version newer than 1.2.9.