{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4267", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T13:30:15.794Z", "datePublished": "2026-03-31T11:29:49.029Z", "dateUpdated": "2026-04-08T16:34:51.846Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:51.846Z"}, "affected": [{"vendor": "johnbillion", "product": "Query Monitor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.20.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Query Monitor \u2013 The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018$_SERVER['REQUEST_URI']\u2019 parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b75cad9-9f76-4839-8eb2-40d84662846d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/query-monitor/tags/3.20.2/output/html/request.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/query-monitor/tags/3.20.2/output/html/request.php#L70"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486705/query-monitor"}, {"url": "https://research.cleantalk.org/cve-2026-4267/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-03-30T23:21:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:43:25.324512Z", "id": "CVE-2026-4267", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:44:01.538Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4267", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:43:25.324512Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:43:53.035Z"}}], "cna": {"title": "Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "johnbillion", "product": "Query Monitor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.20.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-30T23:21:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b75cad9-9f76-4839-8eb2-40d84662846d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/query-monitor/tags/3.20.2/output/html/request.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/query-monitor/tags/3.20.2/output/html/request.php#L70"}, {"url": "https://plugins.trac.wordpress.org/changeset/3486705/query-monitor"}, {"url": "https://research.cleantalk.org/cve-2026-4267/"}], "descriptions": [{"lang": "en", "value": "The Query Monitor \u2013 The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018$_SERVER['REQUEST_URI']\u2019 parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:51.846Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4267", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:51.846Z", "dateReserved": "2026-03-16T13:30:15.794Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-31T11:29:49.029Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Query Monitor \u2013 The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018$_SERVER['REQUEST_URI']\u2019 parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2026-4267", "lastModified": "2026-04-24T18:11:16.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-31T12:16:31.360", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/query-monitor/tags/3.20.2/output/html/request.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/query-monitor/tags/3.20.2/output/html/request.php#L70"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3486705/query-monitor"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2026-4267/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b75cad9-9f76-4839-8eb2-40d84662846d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.20.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Query Monitor \u2013 The developer tools panel for WordPress", "source": "cna", "vendor": "johnbillion"}, "product": "query_monitor_\u2013_the_developer_tools_panel_for_wordpress", "vendor": "johnbillion"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-31T12:50:34.663189+00:00", "value": {"mitigation_remediation": ["Update the Query Monitor plugin to version 3.20.4 or later", "If an update cannot be applied immediately, temporarily deactivate or delete the plugin", "Verify that the site no longer displays the unsanitized request URI in the user interface", "Review other plugins for similar XSS issues and apply updates as necessary"], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of Query Monitor version 3.20.3 or lower are affected. The plugin is typically used as a debugging tool on WordPress sites; any site running a vulnerable version and allowing the plugin to process request URIs in a public context is at risk.", "description_and_impact": "The Query Monitor plugin for WordPress is vulnerable to reflected cross\u2011site scripting due to insufficient sanitization and escaping of the $_SERVER['REQUEST_URI'] parameter in versions up to and including 3.20.3. A maliciously crafted URL can cause arbitrary web scripts to be executed in the browser of any user who opens the URL while the plugin is active.", "risk_and_exploitability": "The CVSS score of 7.2 indicates significant impact with moderate exploitability. No EPSS score is provided and the vulnerability is not listed in the CISA KEV catalog. Exploitation can occur remotely through a crafted link; the attacker only needs to persuade a legitimate user to visit the URL, after which the injected script runs without additional authentication."}}}}, "created": "2026-03-31T19:54:56.449243+00:00", "updated": "2026-03-31T20:38:50.440707+00:00", "vendors": ["johnbillion", "johnbillion$PRODUCT$query_monitor_\u2013_the_developer_tools_panel_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}