CVE-2026-6404 Overview
CVE-2026-6404 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Anomify AI – Anomaly Detection and Alerting plugin for WordPress. The flaw affects all versions up to and including 0.3.6. The vulnerability resides in the handling of the anomify_api_key parameter, where the plugin uses sanitize_text_field() on input but fails to apply esc_attr() on output. Authenticated attackers with administrator-level access can inject arbitrary web scripts that execute when any user visits the plugin's settings page.
Critical Impact
Successful exploitation enables script execution in the context of an administrator session, allowing session hijacking, plugin tampering, or pivoting to further account compromise within the WordPress admin interface.
Affected Products
- Anomify AI – Anomaly Detection and Alerting plugin for WordPress
- All versions up to and including 0.3.6
- WordPress sites with the plugin installed and activated
Discovery Timeline
- 2026-05-20 - CVE-2026-6404 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-6404
Vulnerability Analysis
The vulnerability is a Stored XSS flaw in the plugin's admin settings page. The anomify_api_key parameter, also referenced as the Metric Data Key input, is persisted to the WordPress options table via update_option(). On subsequent renders of the settings page, the stored value is echoed directly into an HTML value="..." attribute context without escaping.
The attack requires administrator-level privileges, which raises the privilege barrier. However, stored XSS in an admin context is still useful for adversaries seeking persistence after initial account compromise. Injected scripts execute every time a user with access to the settings page loads the page.
Root Cause
The root cause is a mismatch between sanitization and output encoding. The plugin applies sanitize_text_field() to the input before storage. That function strips HTML tags but does not encode double-quote characters. When the stored value is later rendered into an HTML attribute using a value="..." construct, the absence of esc_attr() allows an attacker to break out of the attribute and inject script handlers.
The affected code paths are visible in Anomify Config.php line 152, Anomify Wp/Admin.php line 32, and admin_options.php line 43.
Attack Vector
An authenticated administrator submits a crafted value for the Metric Data Key field that contains a double-quote character followed by an HTML event handler such as onfocus or onmouseover. The payload bypasses sanitize_text_field() because no HTML tags are required. The injected attribute then executes JavaScript in the browser of any administrator who loads the plugin settings page. Refer to the Wordfence Vulnerability Analysis for additional context.
Detection Methods for CVE-2026-6404
Indicators of Compromise
- Unexpected values in the anomify_api_key option within the wp_options table containing characters such as ", onerror=, onfocus=, or <script.
- Outbound HTTP requests from administrator browsers to unknown domains after loading WordPress admin pages.
- Unauthorized changes to administrator accounts, plugins, or theme files following access to the Anomify settings page.
Detection Strategies
- Query the wp_options table for the anomify_api_key row and inspect its value for HTML attribute-breaking characters or JavaScript event handlers.
- Review WordPress audit logs for update_option events targeting Anomify settings by administrator accounts.
- Inspect web server access logs for POST requests to wp-admin/options-general.php or the Anomify settings endpoint containing encoded quote characters.
Monitoring Recommendations
- Monitor administrator session activity for anomalous JavaScript execution patterns or unexpected DOM modifications in admin pages.
- Alert on creation of new administrator accounts or modifications to existing accounts shortly after settings page access.
- Track plugin file modifications and changes to wp-config.php that may indicate post-XSS persistence.
How to Mitigate CVE-2026-6404
Immediate Actions Required
- Update the Anomify AI plugin to a version newer than 0.3.6 once the vendor releases a patched release.
- Restrict administrator account access to trusted personnel only and enforce multi-factor authentication on all admin accounts.
- Audit the current value of the anomify_api_key option and reset it to a known-clean value if any unexpected content is found.
Patch Information
At the time of publication, no fixed version has been listed in the NVD entry. Site operators should monitor the WordPress plugin repository and the Wordfence Vulnerability Analysis for release of a patched version that applies esc_attr() to the output of the anomify_api_key value.
Workarounds
- Deactivate the Anomify AI plugin until a patched version is available if the functionality is non-critical.
- Apply a Web Application Firewall (WAF) rule that blocks requests to the plugin settings endpoint containing double-quote characters combined with on*= event handler patterns.
- Implement a Content Security Policy (CSP) header on the WordPress admin interface that restricts inline script execution to mitigate stored XSS payloads.
# Example WordPress CLI command to deactivate the plugin until patched
wp plugin deactivate anomify
# Example query to inspect the stored option value for suspicious content
wp option get anomify_api_key
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
