Cyber Resilience

CVE-2026-3368

High

Published: 21 March 2026

Published
21 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0021 44.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3368 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-3368 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Injection Guard plugin for WordPress, affecting all versions up to and including 1.2.9. The flaw arises from insufficient input sanitization in the sanitize_ig_data() function, which processes array values but neglects array keys, coupled with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. The plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() to preserve URL-encoded special characters like %22, %3E, and %3C, then uses parse_str() to URL-decode the string, embedding decoded HTML or JavaScript in the array keys. These keys are persisted via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page.

Unauthenticated attackers (AV:N/AC:L/PR:N/UI:N) can exploit this by crafting requests with malicious, URL-encoded JavaScript payloads in query parameter names. Upon storage and subsequent viewing of the Injection Guard log interface by an administrator, the payloads execute in the browser context of the admin page, enabling potential theft of admin session data or further site compromise. The vulnerability's CVSS v3.1 base score of 7.2 (S:C/C:L/I:L/A:N) underscores its severity due to network accessibility, low complexity, lack of privileges or user interaction requirements, and scope change.

The provided references link to source code locations in the Injection Guard plugin's guard.php file (version 1.2.8), including lines 105, 153, 49, 8, and 94, which correspond to the relevant sanitization, parsing, storage, and rendering logic implicated in the vulnerability. No explicit patch or mitigation details are detailed in the available information.

EU & UK References

Vulnerability details

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array…

more

values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) via unauthenticated query-string injection; payload execution in admin browser context facilitates T1185 (Browser Session Hijacking) for session theft and further compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79
CVE-2026-34564Shared CWE-79
CVE-2025-23744Shared CWE-79
CVE-2025-23923Shared CWE-79
CVE-2025-23905Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all inputs, including query parameter names parsed into array keys, to prevent storage of malicious scripts.

prevent

Mandates filtering and escaping of outputs when rendering stored query parameters in the admin log page to block XSS execution.

preventrespond

Directs identification, reporting, and correction of the sanitization flaw in sanitize_ig_data() and output escaping in ig_settings.php to remediate the stored XSS vulnerability.

References