Skip to main content

ManageWP Worker CVE-2026-3718

| EUVDEUVD-2026-30246 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 Wordfence GHSA-vfvf-2h2w-cj9j
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:49 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
HIGH 7.2

DescriptionCVE.org

The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This is due to insufficient input sanitization and output escaping of attacker-controlled header values. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator visits the plugin's connection management page with debug parameters.

AnalysisAI

Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.

Technical ContextAI

ManageWP Worker is a remote-management agent plugin that lets the ManageWP SaaS dashboard control WordPress installations, processing inbound HTTP requests that carry custom headers used for connection bootstrapping and key registration. The flaw is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) issue: the attacker-controlled 'MWP-Key-Name' header value is persisted and later rendered into administrator-facing HTML on the plugin's connection management screen without sufficient sanitization or output escaping, so injected markup executes in the admin's authenticated browser context. The affected CPE is cpe:2.3:a:managewp:managewp_worker:*:*:*:*:*:*:*:* covering all builds through 4.9.31, and the changed-scope rating (S:C) reflects that the injected payload runs against a different security authority - the WordPress admin session - than the unauthenticated request that planted it.

RemediationAI

Upstream fix available via WordPress.org plugin changeset 3485733 (https://plugins.trac.wordpress.org/changeset/3485733/worker); the released patched version is not independently confirmed in the supplied data, so administrators should update ManageWP Worker to the latest available release (any version newer than 4.9.31) through the WordPress dashboard plugin updater or via ManageWP's own orchestration. Until the update is applied, compensating controls include using a WAF or reverse-proxy rule to strip or reject inbound requests containing the 'MWP-Key-Name' header from untrusted sources (trade-off: may break legitimate ManageWP key-registration flows if not scoped to ManageWP's IP ranges), temporarily deactivating the Worker plugin on sites that are not actively managed via ManageWP, and instructing administrators to avoid loading the plugin's connection management page with debug query parameters until the patch is in place. Vendor advisory details at https://www.wordfence.com/threat-intel/vulnerabilities/id/db6f08f9-4da3-450d-bf1e-5c9f0aab02a1.

Share

CVE-2026-3718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy