[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_7wb9hbi7UlnpIYlhuLh7KSi0giIAbWHE2E8SWviWy0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6405","anomify-ai-cross-site-request-forgery","Anomify AI \u003C= 0.3.6 - Cross-Site Request Forgery","The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator's browser whenever the plugin settings page is visited.","anomify",null,"\u003C=0.3.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 17:36:30","2026-05-20 06:46:03",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa1e02c2d-a38a-495c-9c37-098049297be2?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional attack payloads, or technical guides for exploiting specific vulnerabilities in software. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) within the WordPress ecosystem and how developers can defend against these vulnerabilities.\n\n### Theoretical Mechanics of the Vulnerability Chain\n\nThe scenario described involves a chain where a CSRF vulnerability is used to deliver a Stored XSS payload.\n\n#### 1. Cross-Site Request Forgery (CSRF) in WordPress\nCSRF occurs when a web application processes a state-changing request (like saving settings) without verifying that the request was intentionally initiated by the authenticated user.\n\nIn WordPress, protection against CSRF is primarily handled through \"Nonces.\" These are security tokens unique to a specific user, action, and time window.\n*   **Vulnerability:** A plugin is vulnerable if its admin settings handlers (typically hooked to `admin_init` or `admin_post_`) do not call verification functions like `check_admin_referer()` or `wp_verify_nonce()`.\n*   **Exploitation:** An attacker tricks a logged-in administrator into visiting a malicious website. That website contains a hidden form or a script that sends a POST request to the target site’s settings page. Since the administrator is authenticated, the browser includes their session cookies, and the plugin processes the request as if the administrator made it.\n\n#### 2. Stored Cross-Site Scripting (XSS) via Attribute Injection\nXSS occurs when user-controlled input is rendered on a page without proper sanitization or escaping. Stored XSS means the payload is saved in the database (e.g., in the `wp_options` table).\n\n*   **Sanitization vs. Escaping:**\n    *   `sanitize_text_field()` is a common WordPress function that strips HTML tags and line breaks. However, it does not necessarily encode double quotes (`\"`).\n    *   If a value sanitized this way is later rendered inside an HTML attribute (e.g., `\u003Cinput value=\"VALUE_HERE\">`) without being passed through `esc_attr()`, it is vulnerable.\n*   **Attribute Breakout:** An attacker can provide a value like `\">\u003Cscript>alert(1)\u003C\u002Fscript>`. The first `\"` closes the attribute, and the `>` closes the HTML tag, allowing the subsequent script to be executed by the browser.\n\n### Defensive Best Practices\n\nTo prevent these vulnerabilities, WordPress developers should adhere to the following security patterns:\n\n1.  **Implement Nonce Verification:** Every form that changes data should include a nonce field using `wp_nonce_field()`. The corresponding handler must verify the nonce using `check_admin_referer('action_name', 'nonce_name')`.\n2.  **Capability Checks:** Always verify that the user has the necessary permissions to perform the action using `current_user_can('manage_options')`.\n3.  **Sanitize on Input:** Use the most restrictive sanitization function possible (e.g., `sanitize_key()`, `absint()`, or `sanitize_text_field()`) before saving data to the database.\n4.  **Escape on Output:** This is the most critical defense against XSS. Always use late escaping. When rendering data into an HTML attribute, use `esc_attr()`. When rendering data as HTML content, use `esc_html()`.\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Anomify AI plugin suffers from a CSRF vulnerability that allows attackers to update plugin settings because the administration panel lacks nonce verification. This is chained with a Stored XSS vulnerability where the API key setting is sanitized with sanitize_text_field() but rendered without esc_attr(), allowing an attacker to inject script tags or malicious attributes into the plugin's settings page.","\u002F\u002F Handler likely in a core plugin file or admin_options.php\nif (isset($_POST['anomify_api_key'])) {\n    \u002F\u002F Vulnerable: missing check_admin_referer() for CSRF protection\n    update_option('anomify_api_key', sanitize_text_field($_POST['anomify_api_key']));\n}\n\n---\n\n\u002F\u002F View in admin_options.php\n$api_key = get_option('anomify_api_key');\n\u002F\u002F Vulnerable: missing esc_attr() allows attribute escape\necho '\u003Cinput type=\"text\" name=\"anomify_api_key\" value=\"' . $api_key . '\">';","--- a\u002Fadmin_options.php\n+++ b\u002Fadmin_options.php\n@@ -1,10 +1,13 @@\n-if (isset($_POST['anomify_api_key'])) {\n+if (isset($_POST['anomify_api_key']) && check_admin_referer('anomify_save_settings', 'anomify_nonce')) {\n+    if (!current_user_can('manage_options')) { wp_die(); }\n     update_option('anomify_api_key', sanitize_text_field($_POST['anomify_api_key']));\n }\n \n \u003Cform method=\"post\">\n+    \u003C?php wp_nonce_field('anomify_save_settings', 'anomify_nonce'); ?>\n     \u003Ctable>\n         \u003Ctr>\n             \u003Cth>API Key\u003C\u002Fth>\n-            \u003Ctd>\u003Cinput type=\"text\" name=\"anomify_api_key\" value=\"\u003C?php echo get_option('anomify_api_key'); ?>\">\u003C\u002Ftd>\n+            \u003Ctd>\u003Cinput type=\"text\" name=\"anomify_api_key\" value=\"\u003C?php echo esc_attr(get_option('anomify_api_key')); ?>\">\u003C\u002Ftd>\n         \u003C\u002Ftr>\n     \u003C\u002Ftable>\n \u003C\u002Fform>","The exploit is executed by crafting a malicious HTML page containing a hidden form that targets the WordPress admin settings page for Anomify AI. The form's payload includes a field for 'anomify_api_key' set to a value like '\">\u003Cscript>alert(1)\u003C\u002Fscript>'. Because the plugin lacks a CSRF nonce (wp_nonce_field) and fails to verify one (check_admin_referer), the administrator's browser will automatically submit the request when they visit the malicious page while logged into WordPress. The 'sanitize_text_field' function does not encode the double-quote characters, allowing the payload to break out of the HTML attribute context. When the administrator subsequently visits the plugin settings page, the injected script executes in their browser context.","gemini-3-flash-preview","2026-05-20 16:31:35","2026-05-20 16:32:25",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanomify\u002Ftags"]