Plattform
wordpress
Komponente
worker
Behoben in
4.9.32
CVE-2026-39463 identifies a Stored Cross-Site Scripting (XSS) vulnerability affecting the ManageWP Worker plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts, potentially leading to account compromise and data theft. The vulnerability impacts versions of the plugin up to and including 4.9.31, with a fix released in version 4.9.32.
An attacker exploiting this XSS vulnerability can inject arbitrary JavaScript code into pages accessible through the ManageWP Worker plugin. When a user visits a page containing the injected script, the script will execute in their browser context, allowing the attacker to steal cookies, session tokens, or redirect the user to a malicious website. Successful exploitation could lead to complete account takeover, unauthorized access to sensitive data stored within the WordPress site, and further propagation of the attack to other systems accessible from the compromised account. The impact is amplified if the ManageWP Worker plugin is used to manage multiple WordPress sites, potentially exposing a wider range of assets.
CVE-2026-39463 was publicly disclosed on 2026-04-13. No public proof-of-concept (POC) code is currently available, but the vulnerability's nature (XSS) makes it relatively easy to exploit once identified. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the ManageWP Worker plugin, particularly those running versions 4.9.31 or earlier, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches. Sites heavily reliant on user-generated content within the ManageWP Worker plugin are also more vulnerable.
• wordpress / composer / npm:
grep -r "<script>" /var/www/html/wp-content/plugins/managewp-worker/• wordpress / composer / npm:
wp plugin list --status=active | grep managewp-worker• wordpress / composer / npm:
wp plugin update managewp-worker --alldisclosure
patch
Exploit-Status
CVSS-Vektor
The primary mitigation for CVE-2026-39463 is to immediately upgrade the ManageWP Worker plugin to version 4.9.32 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin or restricting access to pages where the vulnerability is most likely to be exploited. While a direct WAF rule is difficult to implement without specific knowledge of injection points, a general rule to sanitize user-supplied input before rendering in the ManageWP Worker plugin can offer some protection. Monitor WordPress logs for suspicious activity, particularly unusual JavaScript execution patterns.
Aktualisieren Sie auf Version 4.9.32 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39463 is a Stored Cross-Site Scripting (XSS) vulnerability in the ManageWP Worker WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using ManageWP Worker plugin versions 4.9.31 or earlier. Upgrade to 4.9.32 to resolve the issue.
Upgrade the ManageWP Worker plugin to version 4.9.32 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
While no public exploits are currently known, the ease of exploitation for XSS vulnerabilities suggests a potential risk of exploitation.
Refer to the ManageWP website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.