CVE-2026-6404
Stored XSS in Anomify AI Anomaly Detection and Alerting WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anomify | anomify_ai | to 0.3.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored Cross-Site Scripting (XSS) via the 'anomify_api_key' parameter in the Anomify AI plugin for WordPress. Detection typically requires checking the plugin's settings page for injected scripts or examining the stored value of the 'anomify_api_key' option in the WordPress database.
One approach is to query the WordPress database directly to inspect the 'anomify_api_key' option for suspicious content that includes unescaped HTML or JavaScript code.
- Use a MySQL command to check the stored option value, for example: SELECT option_value FROM wp_options WHERE option_name = 'anomify_api_key';
- Manually visit the plugin's settings page in the WordPress admin dashboard and look for unexpected script execution or injected HTML in the Metric Data Key input field.
Network detection is less straightforward since this is a stored XSS triggered in the admin interface; monitoring HTTP responses for injected scripts when accessing the plugin settings page could help.
Can you explain this vulnerability to me?
The Anomify AI β Anomaly Detection and Alerting plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 0.3.6. This occurs because the plugin does not properly sanitize and escape input for the 'anomify_api_key' parameter. Specifically, it uses sanitize_text_field() which removes HTML tags but does not encode double-quote characters. The value is then directly output into an HTML attribute without proper escaping (esc_attr()), allowing authenticated administrators to inject malicious scripts that execute when the plugin's settings page is viewed.
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator-level access to inject arbitrary JavaScript code into the plugin's settings page. When other users visit this page, the malicious script executes in their browsers, potentially leading to session hijacking, unauthorized actions, or theft of sensitive information. Although the attacker must already have high privileges, the impact includes compromising the integrity and security of the WordPress site and its users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that you update the Anomify AI β Anomaly Detection and Alerting plugin for WordPress to a version later than 0.3.6 where the issue is fixed.
Additionally, restrict administrator-level access to trusted users only, as exploitation requires authenticated administrator privileges.
Avoid visiting the plugin's settings page until the plugin is updated, as the vulnerability executes scripts when the settings page is viewed.