Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.
Published: 2026-05-20
Score: 4.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In versions up to 0.3.6, the Anomify AI WordPress plugin stores the value of the 'anomify_api_key' field without sufficient sanitation, stripping tags but leaving quotation marks intact. Because the value is later echoed directly into an HTML attribute, an attacker who can authenticate as an administrator can inject arbitrary JavaScript that will execute when any user opens the settings page. The injected script runs in the context of the site and can steal cookies, deface content, or redirect users, compromising confidentiality and integrity of the web application. The weakness is a classic stored cross‑site scripting flaw (CWE‑79).

Affected Systems

The vulnerability affects the Anomify AI – Anomaly Detection and Alerting plugin for WordPress, versions up to and including 0.3.6. Any WordPress installation running an affected version and granting administrative access to a user is susceptible. The plugin is maintained by Simon Holliday. No other product families are impacted.

Risk and Exploitability

The CVSS base score of 4.4 indicates a moderate severity. Because the flaw requires authenticated administrator privileges, the attack surface is limited to sites with such accounts; however, once privileged, the attacker can maliciously alter the stored API key and gain persistence. The EPSS is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting it may not yet be actively exploited. Nevertheless, an exploited stored XSS can compromise user sessions and data integrity on the site. The official references show the lack of proper escaping in the output context and clarify that the input sanitization is insufficient. The potential for widespread damage exists if an attacker targets a high‑traffic WordPress site with this plugin.

Generated by OpenCVE AI on May 20, 2026 at 03:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Anomify AI plugin to a fixed release that sanitizes the 'anomify_api_key' field and uses esc_attr() when rendering it.
  • If an update is not immediately available, remove or rewrite the code that outputs the key directly; ensure proper escaping such as esc_attr() is applied when displaying the value on the settings page.
  • As a temporary measure, restrict administrator access to trusted users or disable the plugin until a secure version is available.

Generated by OpenCVE AI on May 20, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Simonholliday
Simonholliday anomify Ai – Anomaly Detection And Alerting
Wordpress
Wordpress wordpress
Vendors & Products Simonholliday
Simonholliday anomify Ai – Anomaly Detection And Alerting
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.
Title Anomify AI <= 0.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Simonholliday Anomify Ai – Anomaly Detection And Alerting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T01:25:48.238Z

Reserved: 2026-04-15T20:41:22.682Z

Link: CVE-2026-6404

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T02:16:38.357

Modified: 2026-05-20T02:16:38.357

Link: CVE-2026-6404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:30Z

Weaknesses