Description
The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.
Published: 2026-03-20
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Injection Guard WordPress plugin allows an unauthenticated attacker to embed malicious script code in query parameter names. Unsanitized array keys are stored in the plugin’s log option and later output without proper escaping. When an administrator views the log interface, the injected code executes in the admin browser session, giving the attacker the ability to steal credentials, modify site content, or perform additional attacks in the administrator’s context. The weakness is a classic stored XSS flaw (CWE‑79).

Affected Systems

WordPress sites running the Injection Guard plugin version 1.2.9 or earlier are affected. The vulnerability exists in all releases up to and including 1.2.9. Any site that has this plugin installed is therefore at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates a high risk level. No EPSS score is provided and the vulnerability is not listed in the CISA KEV catalog, but the attack path is straightforward: an attacker crafts a URL containing malicious query parameter names, visits the site to store the payload in the plugin’s database, and later an administrator’s visit to the log page triggers execution. Because the exploit does not require authentication to inject but relies on an unauthenticated request, the barrier to exploitation is low, while the impact on any admin who views the log page is severe.

Generated by OpenCVE AI on March 21, 2026 at 07:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Injection Guard plugin to the latest version that addresses this issue.
  • If no fix is available, disable or delete the plugin entirely to prevent exploitation.
  • Clear the existing ig_requests_log option to remove any stored malicious scripts.
  • Limit or monitor access to the Injection Guard log page, ensuring only trusted administrators can view it.
  • Consider implementing a web application firewall rule that blocks or sanitizes suspicious query parameters.

Generated by OpenCVE AI on March 21, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482741%40injection-guard&new=3482741%40injection-guard&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve cve-icon cve-icon
History

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Fahadmahmood
Fahadmahmood injection Guard
Wordpress
Wordpress wordpress
Vendors & Products Fahadmahmood
Fahadmahmood injection Guard
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.
Title Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Fahadmahmood Injection Guard
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:02.719Z

Reserved: 2026-02-27T21:15:02.411Z

Link: CVE-2026-3368

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T00:16:28.007

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-3368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:42Z

Weaknesses