CVE-2026-3368
Published: 21 March 2026
Summary
CVE-2026-3368 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-3368 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Injection Guard plugin for WordPress, affecting all versions up to and including 1.2.9. The flaw arises from insufficient input sanitization in the sanitize_ig_data() function, which processes array values but neglects array keys, coupled with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. The plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() to preserve URL-encoded special characters like %22, %3E, and %3C, then uses parse_str() to URL-decode the string, embedding decoded HTML or JavaScript in the array keys. These keys are persisted via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page.
Unauthenticated attackers (AV:N/AC:L/PR:N/UI:N) can exploit this by crafting requests with malicious, URL-encoded JavaScript payloads in query parameter names. Upon storage and subsequent viewing of the Injection Guard log interface by an administrator, the payloads execute in the browser context of the admin page, enabling potential theft of admin session data or further site compromise. The vulnerability's CVSS v3.1 base score of 7.2 (S:C/C:L/I:L/A:N) underscores its severity due to network accessibility, low complexity, lack of privileges or user interaction requirements, and scope change.
The provided references link to source code locations in the Injection Guard plugin's guard.php file (version 1.2.8), including lines 105, 153, 49, 8, and 94, which correspond to the relevant sanitization, parsing, storage, and rendering logic implicated in the vulnerability. No explicit patch or mitigation details are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13918
Vulnerability details
The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array…
more
values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C), then passes it to parse_str() which URL-decodes the string, resulting in decoded HTML/JavaScript in the array keys. These keys are stored via update_option('ig_requests_log') and later rendered without esc_html() or esc_attr() on the admin log page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin log page that execute whenever an administrator views the Injection Guard log interface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) via unauthenticated query-string injection; payload execution in admin browser context facilitates T1185 (Browser Session Hijacking) for session theft and further compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all inputs, including query parameter names parsed into array keys, to prevent storage of malicious scripts.
Mandates filtering and escaping of outputs when rendering stored query parameters in the admin log page to block XSS execution.
Directs identification, reporting, and correction of the sanitization flaw in sanitize_ig_data() and output escaping in ig_settings.php to remediate the stored XSS vulnerability.