Vulnerability-Lookup

CVE-2026-3368 (GCVE-0-2026-3368)

Vulnerability from cvelistv5 – Published: 2026-03-20 23:25 – Updated: 2026-04-08 16:37

Title

Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name

Summary

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

Wordfence

References

18 references

URL	Tags
https://www.wordfence.com/threat-intel/vulnerabil…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/browser/inject…
https://plugins.trac.wordpress.org/changeset?sfp_…

Impacted products

1 product

Vendor	Product	Version
fahadmahmood	Injection Guard	Affected: 0 , ≤ 1.2.9 (semver)

Credits

Itthidej Aramsri

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3368",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:28:30.566055Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:29:00.488Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Injection Guard",
          "vendor": "fahadmahmood",
          "versions": [
            {
              "lessThanOrEqual": "1.2.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Itthidej Aramsri"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER[\u0027QUERY_STRING\u0027], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option(\u0027ig_requests_log\u0027) and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:37:02.719Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3482741%40injection-guard\u0026new=3482741%40injection-guard\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-20T10:55:45.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Injection Guard \u003c= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3368",
    "datePublished": "2026-03-20T23:25:10.600Z",
    "dateReserved": "2026-02-27T21:15:02.411Z",
    "dateUpdated": "2026-04-08T16:37:02.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-3368",
      "date": "2026-05-14",
      "epss": "0.00248",
      "percentile": "0.48104"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-3368\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-21T00:16:28.007\",\"lastModified\":\"2026-04-22T21:32:08.360\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER[\u0027QUERY_STRING\u0027], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option(\u0027ig_requests_log\u0027) and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.\"},{\"lang\":\"es\",\"value\":\"El plugin Injection Guard para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de nombres de par\u00e1metros de consulta maliciosos en todas las versiones hasta la 1.2.9 inclusive. Esto se debe a una sanitizaci\u00f3n de entrada insuficiente en la funci\u00f3n `sanitize_ig_data()` que solo sanitiza los valores de los arrays pero no las claves de los arrays, combinado con una falta de escape de salida en la plantilla `ig_settings.php` donde las claves de los par\u00e1metros almacenados se imprimen directamente en HTML. Cuando se realiza una solicitud al sitio, el plugin captura la cadena de consulta a trav\u00e9s de `$_SERVER[\u0027QUERY_STRING\u0027]`, aplica `esc_url_raw()` (que preserva caracteres especiales codificados en URL como %22, %3E, %3C), luego lo pasa a `parse_str()` que decodifica la cadena de URL, lo que resulta en HTML/JavaScript decodificado en las claves de los arrays. Estas claves se almacenan a trav\u00e9s de `update_option(\u0027ig_requests_log\u0027)` y luego se renderizan sin `esc_html()` o `esc_attr()` en la p\u00e1gina de registro del administrador. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en la p\u00e1gina de registro del administrador que se ejecutan cada vez que un administrador ve la interfaz de registro de Injection Guard.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3482741%40injection-guard\u0026new=3482741%40injection-guard\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve\",\"source\":\"security@wordfence.com\"}]}}"
  }
}

FKIE_CVE-2026-3368

Vulnerability from fkie_nvd - Published: 2026-03-21 00:16 - Updated: 2026-04-22 21:32

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124
	security@wordfence.com	https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482741%40injection-guard&new=3482741%40injection-guard&sfp_email=&sfph_mail=
	security@wordfence.com	https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER[\u0027QUERY_STRING\u0027], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option(\u0027ig_requests_log\u0027) and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface."
    },
    {
      "lang": "es",
      "value": "El plugin Injection Guard para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de nombres de par\u00e1metros de consulta maliciosos en todas las versiones hasta la 1.2.9 inclusive. Esto se debe a una sanitizaci\u00f3n de entrada insuficiente en la funci\u00f3n `sanitize_ig_data()` que solo sanitiza los valores de los arrays pero no las claves de los arrays, combinado con una falta de escape de salida en la plantilla `ig_settings.php` donde las claves de los par\u00e1metros almacenados se imprimen directamente en HTML. Cuando se realiza una solicitud al sitio, el plugin captura la cadena de consulta a trav\u00e9s de `$_SERVER[\u0027QUERY_STRING\u0027]`, aplica `esc_url_raw()` (que preserva caracteres especiales codificados en URL como %22, %3E, %3C), luego lo pasa a `parse_str()` que decodifica la cadena de URL, lo que resulta en HTML/JavaScript decodificado en las claves de los arrays. Estas claves se almacenan a trav\u00e9s de `update_option(\u0027ig_requests_log\u0027)` y luego se renderizan sin `esc_html()` o `esc_attr()` en la p\u00e1gina de registro del administrador. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en la p\u00e1gina de registro del administrador que se ejecutan cada vez que un administrador ve la interfaz de registro de Injection Guard."
    }
  ],
  "id": "CVE-2026-3368",
  "lastModified": "2026-04-22T21:32:08.360",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.7,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-21T00:16:28.007",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3482741%40injection-guard\u0026new=3482741%40injection-guard\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}

GHSA-9HG7-QJWM-HFXV

Vulnerability from github – Published: 2026-03-21 00:31 – Updated: 2026-03-21 00:31

Details

Severity ?

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-3368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-21T00:16:28Z",
    "severity": "HIGH"
  },
  "details": "The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER[\u0027QUERY_STRING\u0027], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option(\u0027ig_requests_log\u0027) and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.",
  "id": "GHSA-9hg7-qjwm-hfxv",
  "modified": "2026-03-21T00:31:44Z",
  "published": "2026-03-21T00:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3368"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3482741%40injection-guard\u0026new=3482741%40injection-guard\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-3368 (GCVE-0-2026-3368)

FKIE_CVE-2026-3368

GHSA-9HG7-QJWM-HFXV

Tags

Sightings

Nomenclature