Threat Entry Updated 2026-05-20

CVE-2026-6405 - Anomify Plugin

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote…

PLUGIN Anomify

CVE-2026-6405

MEDIUM CVSS 4.3 2026-05-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-05-20

CVE-2026-6404 - Anomify Plugin

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject…

PLUGIN Anomify

CVE-2026-6404

MEDIUM CVSS 4.4 2026-05-20

Risk Score

Open Full Technical Breakdown