Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable WordPress plugin endpoint, no attacker auth (PR:N), but victim click required (UI:R); XSS crosses into admin origin (S:C) with limited CIA impact typical of session-bound script execution.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.
AnalysisAI
Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Technical ContextAI
ManageWP Worker is a widely deployed WordPress plugin (CPE cpe:2.3:a:managewp:managewp_worker) that connects a WordPress site to the ManageWP remote management dashboard, exposing endpoints used by the central orchestrator. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning attacker-controlled input is reflected or stored without proper output encoding, letting it execute as script in the rendered DOM. Because the plugin is reachable on the public WordPress front end and integrates with admin-side workflows, an injection here can pivot from anonymous web context into authenticated administrative context - consistent with the CVSS scope change.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/worker/vulnerability/wordpress-managewp-worker-plugin-4-9-31-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for the version succeeding 4.9.31 and upgrade immediately. As compensating controls until the upgrade is applied, deploy a WAF rule blocking script-tag and event-handler patterns on requests reaching the Worker plugin endpoints, enforce a strict Content-Security-Policy that disallows inline script execution in wp-admin (note: may break some legacy plugins), and require administrators to log out of WordPress before browsing untrusted links to reduce the chance of session-bound XSS payloads firing. If immediate patching is impossible, temporarily deactivating the ManageWP Worker plugin removes the attack surface at the cost of losing remote management functionality.
More in Managewp Worker
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36931
GHSA-4382-xwj4-x54p