CVE-2026-6405
Cross-Site Request Forgery to Stored XSS in Anomify AI WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anomify | anomaly_detection_and_alerting | to 0.3.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Anomify AI β Anomaly Detection and Alerting plugin for WordPress has a vulnerability involving Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (XSS). This occurs because the plugin's settings page handler lacks nonce verification and the settings form does not include a wp_nonce_field(), allowing any cross-origin POST request to modify plugin settings without proper authorization.
Additionally, the API key field is sanitized only with sanitize_text_field(), which removes HTML tags but does not encode double-quote characters. The value is then output directly into an HTML attribute without proper escaping, enabling an attacker to inject malicious scripts by exploiting this flaw.
An unauthenticated attacker can trick a logged-in administrator into visiting a malicious page that submits a forged request, storing the malicious script in the database. This script then executes in the administrator's browser whenever the plugin settings page is accessed.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject and store malicious scripts in the plugin settings, which will execute in the browser of any administrator who visits the settings page.
The impact includes unauthorized modification of plugin settings and potential compromise of administrator accounts or sessions through the execution of arbitrary scripts.
Since the attack requires tricking a logged-in administrator to visit a malicious page, it can lead to privilege escalation or further exploitation within the WordPress environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Anomify AI β Anomaly Detection and Alerting plugin for WordPress is installed and running a version up to and including 0.3.6.
Since the vulnerability is due to missing nonce verification and insufficient output escaping, network detection might focus on monitoring for unusual cross-origin POST requests targeting the plugin's settings page.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Anomify AI β Anomaly Detection and Alerting plugin to a version later than 0.3.6 where the vulnerability is fixed.
If an update is not immediately available, restrict access to the WordPress admin settings page to trusted users only and avoid visiting untrusted or suspicious websites while logged in as an administrator.
Additionally, monitoring and blocking suspicious cross-origin POST requests to the plugin's settings page can help reduce risk.