CVE-2026-3718
HIGH · 7.2Fresh disclosure, heavy alert volume, but no PoC, KEV, or exploitation signals.
What: Stored XSS in ManageWP Worker WordPress plugin (≤v4.9.31) via unsanitized 'MWP-Key-Name' HTTP header; CVSS 7.2 (HIGH).
Why it matters: Published today with no KEV listing yet. Social chatter is heavy but appears to be automated NVD syndication and vendor alerting rather than exploitation reports or working PoCs. No defender triage signals or urgent patching advisories observed. Stored XSS requires admin interaction on a specific page, limiting immediate risk scope.
Where it's seen: Real-time NVD mirroring across Bluesky and X; security hashtag amplification; no PoC repositories, exploit code, or in-the-wild reports yet.
RISK: HIGH — Stored XSS affecting WordPress admin; unauthenticated injection; widespread plugin install base.
Description
The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This is due to insufficient input sanitization and output escaping of attacker-controlled header values. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator visits the plugin's connection management page with debug parameters.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Changed
- Confidentiality
- Low
- Integrity
- Low
- Availability
- None