Managewp Worker
Monthly
Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.
Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.