Platform
wordpress
Component
worker
Fixed in
4.9.32
CVE-2026-39463 describes a Stored Cross-Site Scripting (XSS) vulnerability affecting the ManageWP Worker plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts into pages, which will then execute whenever a user accesses those pages. The vulnerability impacts versions of the plugin up to and including 4.9.31, and a fix is available in version 4.9.32.
Successful exploitation of this XSS vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, defacing the website, or injecting malware. The attacker could potentially gain complete control over the user's account and access sensitive data stored within the WordPress site. The impact is particularly severe because the vulnerability is unauthenticated, meaning an attacker does not need to have any valid credentials to exploit it.
CVE-2026-39463 was publicly disclosed on 2026-04-13. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation for XSS vulnerabilities suggests a moderate risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The NVD entry was published on the same date as the public disclosure.
Exploit Status
CVSS Vector
The primary mitigation for CVE-2026-39463 is to upgrade the ManageWP Worker plugin to version 4.9.32 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious script injections. Additionally, carefully review and sanitize all user-supplied input within the plugin to prevent further XSS vulnerabilities. Monitor WordPress logs for suspicious activity, particularly requests containing unusual JavaScript code.
Update to version 4.9.32, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39463 is a Stored Cross-Site Scripting (XSS) vulnerability in the ManageWP Worker WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using ManageWP Worker plugin versions 4.9.31 or earlier. Upgrade to 4.9.32 to resolve the issue.
Upgrade the ManageWP Worker plugin to version 4.9.32 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
While no public exploits are currently known, the ease of exploitation for XSS vulnerabilities suggests a potential risk of exploitation.
Refer to the ManageWP website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.