CVE-2026-3349 Overview
CVE-2026-3349 is a Reflected Cross-Site Scripting (XSS) vulnerability in the MinhNhut Link Gateway plugin for WordPress. The flaw affects all versions up to and including 3.6.1. The plugin fails to sanitize input and escape output for the url parameter on the redirect page. Unauthenticated attackers can inject arbitrary web scripts that execute in a victim's browser when the victim clicks a crafted link. The vulnerability is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in victims' browsers through crafted redirect URLs, enabling session theft, credential harvesting, and administrative account takeover when a logged-in WordPress administrator clicks a malicious link.
Affected Products
- MinhNhut Link Gateway plugin for WordPress (all versions ≤ 3.6.1)
- WordPress sites running the vulnerable plugin on the redirect template templates/default/index.php
- Plugin handler logic in classes.php processing the url query parameter
Discovery Timeline
- 2026-05-27 - CVE-2026-3349 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-3349
Vulnerability Analysis
The MinhNhut Link Gateway plugin provides a redirect interception page that displays the destination URL before forwarding visitors. The plugin reads the url query parameter and reflects its value into the rendered HTML output of the redirect template. Because the plugin does not apply sufficient input sanitization on the server side and does not escape the value during output, attacker-controlled markup is rendered verbatim in the browser.
Reflected XSS requires user interaction. An attacker crafts a URL pointing to the redirect endpoint with a malicious payload appended to the url parameter. When a victim visits that URL, the injected JavaScript executes in the security context of the WordPress site. Successful exploitation can lead to session cookie theft, forced administrative actions via authenticated requests, or redirection to phishing infrastructure.
Root Cause
The root cause is missing output escaping in the plugin template. The redirect template at templates/default/index.php line 19 emits the url parameter directly into the HTML response. The handler logic in classes.php near line 263 does not normalize, validate, or strip script-bearing content before passing the value to the template. WordPress provides esc_url() and esc_attr() functions for this purpose, but neither is applied to the reflected value.
Attack Vector
Exploitation occurs over the network and requires victim interaction. An attacker delivers a crafted link through phishing email, social media, forum posts, or compromised third-party sites. The link targets the plugin's redirect endpoint with a malicious payload encoded into the url parameter. When clicked, the payload executes in the victim's browser under the origin of the affected WordPress site. Because the scope is changed (S:C in the CVSS vector), the impact crosses trust boundaries into the user's authenticated session.
No authenticated example payloads have been published. See the Wordfence Vulnerability Analysis and the WordPress Plugin Template Code for the vulnerable code path.
Detection Methods for CVE-2026-3349
Indicators of Compromise
- Requests to the WordPress site containing the url query parameter with URL-encoded <script>, javascript:, onerror=, or onload= substrings
- Outbound browser requests to unexpected domains following user visits to the redirect endpoint
- Unexpected administrative actions (user creation, plugin installation, option changes) originating from administrator sessions shortly after clicking external links
Detection Strategies
- Inspect web server access logs for the plugin's redirect path combined with suspicious url parameter values containing HTML or JavaScript syntax
- Deploy Web Application Firewall (WAF) rules that match reflected XSS signatures against the url parameter on the redirect endpoint
- Correlate referrer headers from external sources with subsequent privileged actions in WordPress audit logs
Monitoring Recommendations
- Enable verbose request logging for /wp-content/plugins/minhnhut-link-gateway/ and any front-controller URLs that invoke the plugin's redirect handler
- Monitor for spikes in 200 responses to the redirect endpoint originating from a small set of referrers
- Track WordPress administrator session activity for anomalies following inbound clicks from external referrers
How to Mitigate CVE-2026-3349
Immediate Actions Required
- Deactivate and remove the MinhNhut Link Gateway plugin if a patched version is not yet available
- Apply WAF rules to block requests containing script payloads in the url parameter on the redirect endpoint
- Force a password reset and session invalidation for WordPress administrators who may have clicked suspicious links
- Audit installed plugins, users, and scheduled tasks for unauthorized changes
Patch Information
At the time of NVD publication on 2026-05-27, no fixed version was identified in the CVE record. All versions up to and including 3.6.1 are affected. Administrators should monitor the WordPress Plugin Code Review repository and the Wordfence Vulnerability Analysis for an updated release that applies esc_url() and esc_attr() to the url parameter.
Workarounds
- Restrict access to the plugin's redirect endpoint via web server rules until a patch is released
- Apply a Content Security Policy (CSP) header that disallows inline scripts to reduce exploitability of reflected XSS
- Educate administrators and editors to avoid clicking redirect links delivered through untrusted channels
- Replace the plugin with a maintained alternative that performs proper output escaping
# Example nginx rule to block script payloads in the url parameter
location ~* /\?.*url=.*(<script|javascript:|onerror=|onload=) {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
