CVE-2026-6404
Deferred Deferred - Pending Action
Stored XSS in Anomify AI Anomaly Detection and Alerting WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6404
EUVD
EUVD-2026-31022
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anomify anomify_ai to 0.3.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 0.3.6. This occurs because the plugin does not properly sanitize and escape input for the 'anomify_api_key' parameter. Specifically, it uses sanitize_text_field() which removes HTML tags but does not encode double-quote characters. The value is then directly output into an HTML attribute without proper escaping (esc_attr()), allowing authenticated administrators to inject malicious scripts that execute when the plugin's settings page is viewed.

Impact Analysis

This vulnerability allows an attacker with administrator-level access to inject arbitrary JavaScript code into the plugin's settings page. When other users visit this page, the malicious script executes in their browsers, potentially leading to session hijacking, unauthorized actions, or theft of sensitive information. Although the attacker must already have high privileges, the impact includes compromising the integrity and security of the WordPress site and its users.

Mitigation Strategies

To mitigate this vulnerability, ensure that you update the Anomify AI – Anomaly Detection and Alerting plugin for WordPress to a version later than 0.3.6 where the issue is fixed.

Additionally, restrict administrator-level access to trusted users only, as exploitation requires authenticated administrator privileges.

Avoid visiting the plugin's settings page until the plugin is updated, as the vulnerability executes scripts when the settings page is viewed.

Detection Guidance

This vulnerability involves stored Cross-Site Scripting (XSS) via the 'anomify_api_key' parameter in the Anomify AI plugin for WordPress. Detection typically requires checking the plugin's settings page for injected scripts or examining the stored value of the 'anomify_api_key' option in the WordPress database.

One approach is to query the WordPress database directly to inspect the 'anomify_api_key' option for suspicious content that includes unescaped HTML or JavaScript code.

  • Use a MySQL command to check the stored option value, for example: SELECT option_value FROM wp_options WHERE option_name = 'anomify_api_key';
  • Manually visit the plugin's settings page in the WordPress admin dashboard and look for unexpected script execution or injected HTML in the Metric Data Key input field.

Network detection is less straightforward since this is a stored XSS triggered in the admin interface; monitoring HTTP responses for injected scripts when accessing the plugin settings page could help.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart