The Anomify AI – Anomaly Detection and Alerting plugin for WordPress, versions up to and including 0.3.6, contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored Cross-Site Scripting (XSS). The plugin's settings page handler lacks nonce verification (no wp_nonce_field() in the form and no check_admin_referer() in the handler), allowing unauthenticated attackers to forge cross-origin [truncated]
CVE-2026-6404 documents a stored cross-site scripting (XSS) vulnerability in the Anomify AI – Anomaly Detection and Alerting WordPress plugin, affecting versions up to and including 0.3.6. The flaw resides in the handling of the 'anomify_api_key' parameter, where insufficient input sanitization combined with missing output escaping enables script injection. Specifically, the plugin applies sanitize_text_f [truncated]