Skip to main content

ManageWP Worker CVE-2026-39463

| EUVDEUVD-2026-36931 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-4382-xwj4-x54p
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress plugin endpoint, no attacker auth (PR:N), but victim click required (UI:R); XSS crosses into admin origin (S:C) with limited CIA impact typical of session-bound script execution.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:32 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.

AnalysisAI

Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Technical ContextAI

ManageWP Worker is a widely deployed WordPress plugin (CPE cpe:2.3:a:managewp:managewp_worker) that connects a WordPress site to the ManageWP remote management dashboard, exposing endpoints used by the central orchestrator. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning attacker-controlled input is reflected or stored without proper output encoding, letting it execute as script in the rendered DOM. Because the plugin is reachable on the public WordPress front end and integrates with admin-side workflows, an injection here can pivot from anonymous web context into authenticated administrative context - consistent with the CVSS scope change.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/worker/vulnerability/wordpress-managewp-worker-plugin-4-9-31-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for the version succeeding 4.9.31 and upgrade immediately. As compensating controls until the upgrade is applied, deploy a WAF rule blocking script-tag and event-handler patterns on requests reaching the Worker plugin endpoints, enforce a strict Content-Security-Policy that disallows inline script execution in wp-admin (note: may break some legacy plugins), and require administrators to log out of WordPress before browsing untrusted links to reduce the chance of session-bound XSS payloads firing. If immediate patching is impossible, temporarily deactivating the ManageWP Worker plugin removes the attack surface at the cost of losing remote management functionality.

Share

CVE-2026-39463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy