PT-2026-42066 · WordPress · Anomify Ai
Ibnu
+1
·
Published
2026-05-20
·
Updated
2026-05-28
·
CVE-2026-6404
CVSS v3.1
4.4
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Anomify AI – Anomaly Detection and Alerting plugin for WordPress versions prior to 0.3.7
Description
The plugin is subject to Stored Cross-Site Scripting, a condition where malicious scripts are permanently stored on the target server. The issue occurs because the plugin uses
sanitize text field() on the Metric Data Key input before saving it with update option(), but this function does not encode double-quote characters. Subsequently, the value is echoed into an HTML attribute context without using esc attr(). This allows authenticated attackers with administrator-level access to inject arbitrary web scripts via the anomify api key parameter, which execute when a user visits the plugin settings page.Recommendations
Update the plugin to a version later than 0.3.6.
As a temporary workaround, restrict administrator access to the plugin settings page to minimize the risk of script injection via the
anomify api key parameter.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Anomify Ai