CVE-2026-3368

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L105
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L153
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L49
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L8
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/guard.php#L94
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L120
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L121
https://plugins.trac.wordpress.org/browser/injection-guard/tags/1.2.8/ig_settings.php#L124
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L105
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L153
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L49
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L8
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/guard.php#L94
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L120
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L121
https://plugins.trac.wordpress.org/browser/injection-guard/trunk/ig_settings.php#L124
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3482741%40injection-guard&new=3482741%40injection-guard&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/15d9817c-910d-4ce1-a5fb-67a2b6580e16?source=cve

Configurations

No configuration.

History

22 Apr 2026, 21:32

Type	Values Removed	Values Added
Summary		(es) El plugin Injection Guard para WordPress es vulnerable a cross-site scripting almacenado a través de nombres de parámetros de consulta maliciosos en todas las versiones hasta la 1.2.9 inclusive. Esto se debe a una sanitización de entrada insuficiente en la función `sanitize_ig_data()` que solo sanitiza los valores de los arrays pero no las claves de los arrays, combinado con una falta de escape de salida en la plantilla `ig_settings.php` donde las claves de los parámetros almacenados se imprimen directamente en HTML. Cuando se realiza una solicitud al sitio, el plugin captura la cadena de consulta a través de `$_SERVER['QUERY_STRING']`, aplica `esc_url_raw()` (que preserva caracteres especiales codificados en URL como %22, %3E, %3C), luego lo pasa a `parse_str()` que decodifica la cadena de URL, lo que resulta en HTML/JavaScript decodificado en las claves de los arrays. Estas claves se almacenan a través de `update_option('ig_requests_log')` y luego se renderizan sin `esc_html()` o `esc_attr()` en la página de registro del administrador. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en la página de registro del administrador que se ejecutan cada vez que un administrador ve la interfaz de registro de Injection Guard.

21 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-21 00:16

Updated : 2026-06-17 10:43

NVD link : CVE-2026-3368

Mitre link : CVE-2026-3368

CVE.ORG link : CVE-2026-3368

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.2 /10