Anomify AI <= 0.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter
Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NTechnical Details
I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific vulnerabilities. For information on how to secure WordPress plugins and prevent vulnerabilities like Stored Cross-Site Scripting (X…
Show full research plan
I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific vulnerabilities.
For information on how to secure WordPress plugins and prevent vulnerabilities like Stored Cross-Site Scripting (XSS), you may want to search online for the following security practices:
- WordPress Output Escaping: Search for the correct use of
esc_html(),esc_attr(), andesc_url()to understand how to protect different HTML contexts. - WordPress Input Sanitization: Search for
sanitize_text_field()andabsint()to learn how to clean user input before saving it to the database. - WordPress Settings API Security: Search for best practices on using the Settings API to handle plugin configuration securely.
- OWASP Guide on XSS Prevention: For general principles on preventing Cross-Site Scripting vulnerabilities.
Summary
The Anomify AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'anomify_api_key' parameter due to inadequate output escaping. An administrator can inject malicious scripts into the plugin settings that execute when any user views the settings page, potentially allowing for session hijacking or unauthorized administrative actions.
Vulnerable Code
// Logic inferred from vulnerability description // Processing the setting if (isset($_POST['anomify_api_key'])) { update_option('anomify_api_key', sanitize_text_field($_POST['anomify_api_key'])); } --- // Displaying the setting in the admin UI $anomify_api_key = get_option('anomify_api_key'); echo '<input type="text" name="anomify_api_key" value="' . $anomify_api_key . '">';
Security Fix
@@ -10,1 +10,1 @@ -echo '<input type="text" name="anomify_api_key" value="' . $anomify_api_key . '">'; +echo '<input type="text" name="anomify_api_key" value="' . esc_attr($anomify_api_key) . '">';
Exploit Outline
1. Authenticate as a user with Administrator privileges. 2. Navigate to the Anomify AI plugin settings page. 3. Input a malicious payload into the 'anomify_api_key' (Metric Data Key) field that utilizes double quotes to break out of the HTML attribute, such as: " onfocus="alert(document.cookie)" autofocus=" 4. Save the settings. Since sanitize_text_field() does not encode double quotes, the payload is saved to the database. 5. The script executes automatically via the 'autofocus' and 'onfocus' event handlers whenever an administrator visits the settings page, as the value is echoed directly into the 'value' attribute without esc_attr().
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.