CVE-2026-6405
Deferred Deferred - Pending Action
Cross-Site Request Forgery to Stored XSS in Anomify AI WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator's browser whenever the plugin settings page is visited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6405
EUVD
EUVD-2026-31070
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anomify anomaly_detection_and_alerting to 0.3.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress has a vulnerability involving Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (XSS). This occurs because the plugin's settings page handler lacks nonce verification and the settings form does not include a wp_nonce_field(), allowing any cross-origin POST request to modify plugin settings without proper authorization.

Additionally, the API key field is sanitized only with sanitize_text_field(), which removes HTML tags but does not encode double-quote characters. The value is then output directly into an HTML attribute without proper escaping, enabling an attacker to inject malicious scripts by exploiting this flaw.

An unauthenticated attacker can trick a logged-in administrator into visiting a malicious page that submits a forged request, storing the malicious script in the database. This script then executes in the administrator's browser whenever the plugin settings page is accessed.

Impact Analysis

This vulnerability can allow an attacker to inject and store malicious scripts in the plugin settings, which will execute in the browser of any administrator who visits the settings page.

The impact includes unauthorized modification of plugin settings and potential compromise of administrator accounts or sessions through the execution of arbitrary scripts.

Since the attack requires tricking a logged-in administrator to visit a malicious page, it can lead to privilege escalation or further exploitation within the WordPress environment.

Detection Guidance

Detection of this vulnerability involves checking if the Anomify AI – Anomaly Detection and Alerting plugin for WordPress is installed and running a version up to and including 0.3.6.

Since the vulnerability is due to missing nonce verification and insufficient output escaping, network detection might focus on monitoring for unusual cross-origin POST requests targeting the plugin's settings page.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the Anomify AI – Anomaly Detection and Alerting plugin to a version later than 0.3.6 where the vulnerability is fixed.

If an update is not immediately available, restrict access to the WordPress admin settings page to trusted users only and avoid visiting untrusted or suspicious websites while logged in as an administrator.

Additionally, monitoring and blocking suspicious cross-origin POST requests to the plugin's settings page can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart