PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6404 simonholliday CVE debrief

CVE-2026-6404 documents a stored cross-site scripting (XSS) vulnerability in the Anomify AI – Anomaly Detection and Alerting WordPress plugin, affecting versions up to and including 0.3.6. The flaw resides in the handling of the 'anomify_api_key' parameter, where insufficient input sanitization combined with missing output escaping enables script injection. Specifically, the plugin applies sanitize_text_field() to the Metric Data Key input before storage via update_option(); however, this function strips HTML tags without encoding double-quote characters. The stored value is subsequently echoed directly into an HTML attribute context (value=) without esc_attr() encoding, allowing authenticated administrators to inject arbitrary web scripts that execute when users visit the plugin's settings page. The vulnerability was published to the CVE List on 20 May 2026 and carries a CVSS 3.1 base score of 4.4 (Medium), with the vector AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N indicating network attack vector, high attack complexity, high privileges required, no user interaction, changed scope, and low impacts to confidentiality and integrity. The weakness is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). No known exploitation in the wild or ransomware campaign use has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
simonholliday
Product
Anomify AI – Anomaly Detection and Alerting
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using the Anomify AI plugin, security teams managing WordPress deployments, and developers maintaining WordPress plugins with similar input/output handling patterns

Technical summary

The Anomify AI WordPress plugin (≤0.3.6) contains a stored XSS vulnerability in the anomify_api_key parameter. The plugin uses sanitize_text_field() for input sanitization, which removes HTML tags but does not encode double quotes. When the stored value is rendered in an HTML attribute without esc_attr(), attackers with administrator privileges can inject JavaScript payloads that execute in the browser context of users viewing the settings page.

Defensive priority

medium

Recommended defensive actions

  • Upgrade the Anomify AI plugin to a version newer than 0.3.6 once a patched release becomes available
  • Apply esc_attr() or equivalent HTML attribute encoding to all user-supplied values output in HTML attribute contexts within plugin settings pages
  • Review additional plugin inputs using sanitize_text_field() to ensure proper contextual output encoding is applied before rendering
  • Implement Content Security Policy headers to mitigate impact of any residual XSS vectors
  • Restrict administrative access to plugin settings pages to trusted personnel only
  • Monitor WordPress plugin repository and Wordfence threat intelligence for patch availability announcements

Evidence notes

Vulnerability details sourced from NVD record with Wordfence advisory as primary reference. Code locations identified in plugin versions 0.3.6 (tags) and trunk via WordPress Plugin Trac browser references. CVSS vector and CWE classification provided by Wordfence. Vendor attribution marked as low confidence requiring review due to 'Unknown Vendor' designation in source data.

Official resources

2026-05-20