Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator's browser whenever the plugin settings page is visited.
Published: 2026-05-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Anomify AI plugin for WordPress fails to verify a nonce on its settings page handler and does not escape output when rendering the stored API key. This allows an attacker to create a form that submits a crafted value to the plugin. A double‑quote payload can survive sanitization, be stored in the database, and later executed as JavaScript when an administrator loads the settings page, leading to stored cross‑site scripting. The attack does not provide direct remote code execution, but it can be used to steal admin credentials, hijack sessions, or deface the site inside the administrator’s browser.

Affected Systems

All WordPress sites using Anomify AI versions up to and including 0.3.6 are affected. The vulnerability applies to the plugin’s settings page and API key field handling.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is considered moderate. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog, indicating that there are no known active exploits. The likely attack vector is CSRF: an attacker must trick a logged‑in administrator into visiting a malicious page that submits a forged request. Once the payload is stored, every subsequent visit to the settings page by that administrator will trigger script execution. Mitigation is expected to involve removal of the CSRF flaw and proper output escaping.

Generated by OpenCVE AI on May 20, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Anomify AI plugin to the latest release that includes nonce verification and output escaping
  • If an upgrade is not immediately possible, add a unique nonce field (wp_nonce_field) to the settings form and enforce check_admin_referer() in the handler to block forged requests
  • Modify the template rendering the API key so that esc_attr() is used on the value before echoing it into the HTML attribute

Generated by OpenCVE AI on May 20, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Simonholliday
Simonholliday anomify Ai – Anomaly Detection And Alerting
Wordpress
Wordpress wordpress
Vendors & Products Simonholliday
Simonholliday anomify Ai – Anomaly Detection And Alerting
Wordpress
Wordpress wordpress

Wed, 20 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator's browser whenever the plugin settings page is visited.
Title Anomify AI <= 0.3.6 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Simonholliday Anomify Ai – Anomaly Detection And Alerting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T12:51:32.929Z

Reserved: 2026-04-15T20:43:35.051Z

Link: CVE-2026-6405

cve-icon Vulnrichment

Updated: 2026-05-20T12:51:28.540Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T08:16:23.027

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-6405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:37:53Z

Weaknesses