PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6405 simonholliday CVE debrief

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress, versions up to and including 0.3.6, contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored Cross-Site Scripting (XSS). The plugin's settings page handler lacks nonce verification (no wp_nonce_field() in the form and no check_admin_referer() in the handler), allowing unauthenticated attackers to forge cross-origin POST requests. The API key field is sanitized with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters. When rendered in admin_options.php via bare echo without esc_attr(), double-quote attribute-escape payloads survive sanitization and storage. An attacker can trick a logged-in administrator into visiting a malicious page that submits a forged request, storing a script payload that executes when the administrator visits the plugin settings page.

Vendor
simonholliday
Product
Anomify AI – Anomaly Detection and Alerting
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using the Anomify AI plugin; security teams monitoring WordPress plugin vulnerabilities; developers maintaining WordPress plugins with administrative settings interfaces

Technical summary

The vulnerability chain begins with missing CSRF protection in the plugin's settings handler. The Admin.php handler processes POST requests without verifying nonces, allowing cross-origin form submissions. User input reaches the API key field, where sanitize_text_field() removes HTML tags but preserves double-quote characters. In admin_options.php, the stored value is echoed directly into an HTML attribute without esc_attr() encoding. An attacker constructs a payload using double-quote termination to inject JavaScript event handlers. When an administrator visits a malicious page, the forged POST request stores the payload. Subsequent visits to the plugin settings page execute the injected script in the administrator's browser context.

Defensive priority

medium

Recommended defensive actions

  • Update the Anomify AI plugin to version 0.3.7 or later if available
  • Apply WordPress core updates promptly to benefit from security hardening
  • Implement Web Application Firewall (WAF) rules to detect and block CSRF exploitation attempts targeting WordPress admin endpoints
  • Review administrator session management and consider requiring re-authentication for sensitive plugin settings changes
  • Audit plugin settings for unexpected modifications if administrators have visited untrusted external links recently
  • Consider disabling the plugin temporarily if no patch is available and the functionality is not critical

Evidence notes

Vulnerability confirmed via WordPress plugin repository source code analysis. CSRF weakness identified in Admin.php handler (missing nonce verification). XSS vector confirmed in admin_options.php template (unescaped attribute output). sanitize_text_field() behavior documented as insufficient for attribute context. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.

Official resources

2026-05-20