Skip to main content

PHP CVE-2026-3368

| EUVDEUVD-2026-13918 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 Wordfence
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 20, 2026 - 23:46 euvd
EUVD-2026-13918
Analysis Generated
Mar 20, 2026 - 23:46 vuln.today
CVE Published
Mar 20, 2026 - 23:25 nvd
HIGH 7.2

DescriptionCVE.org

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.

AnalysisAI

The Injection Guard plugin for WordPress versions up to 1.2.9 contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the admin log interface. The flaw stems from insufficient sanitization of query parameter names, which are logged and later rendered without proper output escaping when administrators view the plugin's log page. This enables arbitrary script execution in the context of an authenticated administrator's browser session, potentially leading to account compromise or further malicious actions.

Technical ContextAI

This vulnerability affects the Injection Guard WordPress plugin (CPE: cpe:2.3:a:fahadmahmood:injection_guard:*:*:*:*:*:*:*:*) and is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin captures incoming requests via $_SERVER['QUERY_STRING'], applies esc_url_raw() which preserves URL-encoded special characters, then uses parse_str() to decode the query string into an array. The sanitize_ig_data() function only sanitizes array values but ignores array keys, allowing attackers to craft malicious query parameter names containing HTML or JavaScript. These unsanitized keys are stored via update_option('ig_requests_log') and later echoed directly in ig_settings.php (lines 120, 121, 124) without esc_html() or esc_attr() output escaping, resulting in stored XSS when administrators view the log interface.

RemediationAI

WordPress site administrators should immediately upgrade the Injection Guard plugin to a patched version beyond 1.2.9 if available, checking the official WordPress plugin repository or the vendor's release notes. Until a patch is applied, administrators should consider temporarily disabling the Injection Guard plugin or restricting access to its admin log interface to only trusted administrators via WordPress role capabilities. As a defense-in-depth measure, implement Content Security Policy (CSP) headers to mitigate XSS impact by restricting script execution to trusted sources. Review existing log entries in the Injection Guard interface for suspicious query parameter names containing HTML/JavaScript syntax before an administrator inadvertently triggers stored payloads. Additional technical details and source code references are available at https://plugins.trac.wordpress.org/browser/injection-guard/ for security teams conducting impact assessment.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-3368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy