What the vulnerability does
01Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.
Explanation of Vulnerability in Simple Terms
02Summary
Anomify AI versions 0.3.6 and earlier contain a cross-site scripting (XSS) vulnerability in a high-privilege context. An authenticated administrator can inject malicious scripts that execute in other users' browsers when they view affected pages. The vulnerability requires high system access and does not affect data confidentiality or availability directly, but can compromise site integrity and user trust.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in other users' browsers when they visit affected pages.
Potential impact on your site
04Site Impact
A malicious admin can inject scripts affecting other users' sessions and site functionality.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative privileges on the system.
Key dates
06Disclosure timeline
May 20, 2026
CVE published
May 20, 2026
Record updated
