PT-2026-42066 · WordPress · Anomify Ai

Ibnu

+1

·

Published

2026-05-20

·

Updated

2026-05-28

·

CVE-2026-6404

CVSS v3.1

4.4

Medium

VectorAV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Anomify AI – Anomaly Detection and Alerting plugin for WordPress versions prior to 0.3.7
Description The plugin is subject to Stored Cross-Site Scripting, a condition where malicious scripts are permanently stored on the target server. The issue occurs because the plugin uses sanitize text field() on the Metric Data Key input before saving it with update option(), but this function does not encode double-quote characters. Subsequently, the value is echoed into an HTML attribute context without using esc attr(). This allows authenticated attackers with administrator-level access to inject arbitrary web scripts via the anomify api key parameter, which execute when a user visits the plugin settings page.
Recommendations Update the plugin to a version later than 0.3.6. As a temporary workaround, restrict administrator access to the plugin settings page to minimize the risk of script injection via the anomify api key parameter.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6404

Affected Products

Anomify Ai