CVE-2026-3368
Stored XSS in WordPress Injection Guard Plugin Allows Admin Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | injection_guard | to 1.2.9 (inc) |
| wordfence | injection_guard | 1.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Injection Guard plugin for WordPress, up to version 1.2.9, is vulnerable to Stored Cross-Site Scripting (XSS) due to improper sanitization of query parameter names. Specifically, the sanitize_ig_data() function sanitizes array values but not the array keys, which are the query parameter names. When a request is made, the plugin captures the query string, applies esc_url_raw() (which preserves URL-encoded special characters), then decodes it with parse_str(), resulting in decoded HTML or JavaScript in the array keys.
These unsanitized keys are stored in the WordPress options via update_option('ig_requests_log') and later rendered directly into the admin log page without proper escaping (missing esc_html() or esc_attr()). This allows unauthenticated attackers to inject arbitrary scripts that execute when an administrator views the Injection Guard log interface.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS) attacks by injecting malicious scripts into the query parameter names of requests logged by the Injection Guard plugin.
When an administrator views the Injection Guard log page, the malicious scripts execute in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed with administrator privileges.
Because the attack requires no authentication and targets administrators, it poses a significant risk to the security and integrity of the WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The Injection Guard plugin logs all unique query strings attempting to access the WordPress site, including potentially malicious query parameters. Detection involves monitoring these logged query parameters and URIs for suspicious or unexpected entries.'}, {'type': 'paragraph', 'content': 'Specifically, the plugin captures the request URI and query string, parses the query parameters, and stores them with timestamps in a log accessible via the WordPress admin interface. Administrators can review these logs to identify suspicious parameters.'}, {'type': 'paragraph', 'content': "While no direct network commands are provided in the resources, you can detect suspicious activity by querying the WordPress database option 'ig_requests_log' where the plugin stores logged requests."}, {'type': 'list_item', 'content': 'Use WP-CLI to inspect the logged requests: wp option get ig_requests_log'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to your WordPress site for unusual or suspicious query parameters, especially those containing encoded HTML or JavaScript characters.'}, {'type': 'list_item', 'content': "Review the Injection Guard plugin's admin log page, which displays logged query parameters grouped by URI, highlighting blacklisted parameters."}] [1, 2, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation involves updating the Injection Guard plugin to a version later than 1.2.9, as versions up to and including 1.2.9 are vulnerable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from insufficient sanitization of query parameter keys and missing output escaping in the admin log page, upgrading to a patched version (such as 1.3.0) that fixes these issues is critical.'}, {'type': 'paragraph', 'content': "In addition, administrators should review the plugin's logged query parameters and blacklist suspicious or malicious parameters to prevent them from being processed or displayed."}, {'type': 'list_item', 'content': 'Update the Injection Guard plugin to version 1.3.0 or later.'}, {'type': 'list_item', 'content': "Use the plugin's admin interface to blacklist suspicious query parameters."}, {'type': 'list_item', 'content': 'Restrict access to the Injection Guard admin log page to trusted administrators only.'}, {'type': 'list_item', 'content': 'Consider temporarily disabling the Injection Guard plugin if an immediate update is not possible, to prevent exploitation.'}] [1, 2, 4, 5]