{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3368", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T21:15:02.411Z", "datePublished": "2026-03-20T23:25:10.600Z", "dateUpdated": "2026-04-08T16:37:02.719Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:02.719Z"}, "affected": [{"vendor": "fahadmahmood", "product": "Injection Guard", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface."}], "title": "Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49"}, {"url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482741%40injection-guard&new=3482741%40injection-guard&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-03-20T10:55:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:28:30.566055Z", "id": "CVE-2026-3368", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:29:00.488Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface."}, {"lang": "es", "value": "El plugin Injection Guard para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de nombres de par\u00e1metros de consulta maliciosos en todas las versiones hasta la 1.2.9 inclusive. Esto se debe a una sanitizaci\u00f3n de entrada insuficiente en la funci\u00f3n `sanitize_ig_data()` que solo sanitiza los valores de los arrays pero no las claves de los arrays, combinado con una falta de escape de salida en la plantilla `ig_settings.php` donde las claves de los par\u00e1metros almacenados se imprimen directamente en HTML. Cuando se realiza una solicitud al sitio, el plugin captura la cadena de consulta a trav\u00e9s de `$_SERVER['QUERY_STRING']`, aplica `esc_url_raw()` (que preserva caracteres especiales codificados en URL como %22, %3E, %3C), luego lo pasa a `parse_str()` que decodifica la cadena de URL, lo que resulta en HTML/JavaScript decodificado en las claves de los arrays. Estas claves se almacenan a trav\u00e9s de `update_option('ig_requests_log')` y luego se renderizan sin `esc_html()` o `esc_attr()` en la p\u00e1gina de registro del administrador. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en la p\u00e1gina de registro del administrador que se ejecutan cada vez que un administrador ve la interfaz de registro de Injection Guard."}], "id": "CVE-2026-3368", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:28.007", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482741%40injection-guard&new=3482741%40injection-guard&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Injection Guard", "source": "cna", "vendor": "fahadmahmood"}, "product": "injection_guard", "vendor": "fahadmahmood"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:26:21.375929+00:00", "value": {"mitigation_remediation": ["Update the Injection Guard plugin to the latest version that addresses this issue.", "If no fix is available, disable or delete the plugin entirely to prevent exploitation.", "Clear the existing ig_requests_log option to remove any stored malicious scripts.", "Limit or monitor access to the Injection Guard log page, ensuring only trusted administrators can view it.", "Consider implementing a web application firewall rule that blocks or sanitizes suspicious query parameters."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Injection Guard plugin version 1.2.9 or earlier are affected. The vulnerability exists in all releases up to and including 1.2.9. Any site that has this plugin installed is therefore at risk.", "description_and_impact": "The Injection Guard WordPress plugin allows an unauthenticated attacker to embed malicious script code in query parameter names. Unsanitized array keys are stored in the plugin\u2019s log option and later output without proper escaping. When an administrator views the log interface, the injected code executes in the admin browser session, giving the attacker the ability to steal credentials, modify site content, or perform additional attacks in the administrator\u2019s context. The weakness is a classic stored XSS flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high risk level. No EPSS score is provided and the vulnerability is not listed in the CISA KEV catalog, but the attack path is straightforward: an attacker crafts a URL containing malicious query parameter names, visits the site to store the payload in the plugin\u2019s database, and later an administrator\u2019s visit to the log page triggers execution. Because the exploit does not require authentication to inject but relies on an unauthenticated request, the barrier to exploitation is low, while the impact on any admin who views the log page is severe."}}}}, "created": "2026-03-23T09:51:42.484364+00:00", "updated": "2026-03-25T14:33:42.035678+00:00", "vendors": ["fahadmahmood", "fahadmahmood$PRODUCT$injection_guard", "wordpress", "wordpress$PRODUCT$wordpress"]}