[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f87hp2yItFEXs4EFhf1p4FUc_xcsfnb_uikF8vdoacME":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6404","anomify-ai-authenticated-administrator-stored-cross-site-scripting-via-anomifyapikey-parameter","Anomify AI \u003C= 0.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter","The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value=\"...\") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.","anomify",null,"\u003C=0.3.6","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-19 12:05:03","2026-05-20 01:25:48",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4036057c-0c43-4d9c-97db-4861d91a4daa?source=api-prod",[],"researched",false,3,"I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific vulnerabilities.\n\nFor information on how to secure WordPress plugins and prevent vulnerabilities like Stored Cross-Site Scripting (XSS), you may want to search online for the following security practices:\n\n*   **WordPress Output Escaping:** Search for the correct use of `esc_html()`, `esc_attr()`, and `esc_url()` to understand how to protect different HTML contexts.\n*   **WordPress Input Sanitization:** Search for `sanitize_text_field()` and `absint()` to learn how to clean user input before saving it to the database.\n*   **WordPress Settings API Security:** Search for best practices on using the Settings API to handle plugin configuration securely.\n*   **OWASP Guide on XSS Prevention:** For general principles on preventing Cross-Site Scripting vulnerabilities.","The Anomify AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'anomify_api_key' parameter due to inadequate output escaping. An administrator can inject malicious scripts into the plugin settings that execute when any user views the settings page, potentially allowing for session hijacking or unauthorized administrative actions.","\u002F\u002F Logic inferred from vulnerability description\n\n\u002F\u002F Processing the setting\nif (isset($_POST['anomify_api_key'])) {\n    update_option('anomify_api_key', sanitize_text_field($_POST['anomify_api_key']));\n}\n\n---\n\n\u002F\u002F Displaying the setting in the admin UI\n$anomify_api_key = get_option('anomify_api_key');\necho '\u003Cinput type=\"text\" name=\"anomify_api_key\" value=\"' . $anomify_api_key . '\">';","--- a\u002Fanomify-ai.php\n+++ b\u002Fanomify-ai.php\n@@ -10,1 +10,1 @@\n-echo '\u003Cinput type=\"text\" name=\"anomify_api_key\" value=\"' . $anomify_api_key . '\">';\n+echo '\u003Cinput type=\"text\" name=\"anomify_api_key\" value=\"' . esc_attr($anomify_api_key) . '\">';","1. Authenticate as a user with Administrator privileges.\n2. Navigate to the Anomify AI plugin settings page.\n3. Input a malicious payload into the 'anomify_api_key' (Metric Data Key) field that utilizes double quotes to break out of the HTML attribute, such as: \" onfocus=\"alert(document.cookie)\" autofocus=\"\n4. Save the settings. Since sanitize_text_field() does not encode double quotes, the payload is saved to the database.\n5. The script executes automatically via the 'autofocus' and 'onfocus' event handlers whenever an administrator visits the settings page, as the value is echoed directly into the 'value' attribute without esc_attr().","gemini-3-flash-preview","2026-05-20 17:00:43","2026-05-20 17:01:18",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanomify\u002Ftags"]