🔐 CVE Alert

CVE-2026-6404

MEDIUM 4.4

Anomify AI <= 0.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter

CVSS Score
4.4
EPSS Score
0.0%
EPSS Percentile
10th

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.

CWE CWE-79
Vendor simonholliday
Product anomify ai – anomaly detection and alerting
Published May 20, 2026
Last Updated May 20, 2026
Stay Ahead of the Next One

Get instant alerts for simonholliday anomify ai – anomaly detection and alerting

Be the first to know when new medium vulnerabilities affecting simonholliday anomify ai – anomaly detection and alerting are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

simonholliday / Anomify AI – Anomaly Detection and Alerting
0 ≤ 0.3.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4036057c-0c43-4d9c-97db-4861d91a4daa?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/includes/admin_options.php#L43 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/includes/admin_options.php#L43 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/Admin.php#L32 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/Admin.php#L32 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Config.php#L152 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Config.php#L152

Credits

Muhammad Nur Ibnu Hubab