cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches foranomify anomify

Direction: ascending
May 23, 2026

Anomify AI – Anomaly Detection and Alerting # CVE-2026-6404

CVE, Research URL

CVE-2026-6404

Home page URL

Security reports for Anomify AI – Anomaly Detection and Alerting

Application

Anomify AI – Anomaly Detection and Alerting

Date
May 20, 2026
Research Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page.
Affected versions
max 0.3.6.
Status
vulnerable

Anomify AI – Anomaly Detection and Alerting # CVE-2026-6405

CVE, Research URL

CVE-2026-6405

Home page URL

Security reports for Anomify AI – Anomaly Detection and Alerting

Application

Anomify AI – Anomaly Detection and Alerting

Date
May 20, 2026
Research Description
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator's browser whenever the plugin settings page is visited.
Affected versions
max 0.3.6.
Status
vulnerable