プラットフォーム
wordpress
コンポーネント
injection-guard
修正版
1.2.10
CVE-2026-3368 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress Injection Guard plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. It impacts versions 1.0.0 through 1.2.9 of the plugin. A fix is available in version 1.3.0.
An attacker can exploit this XSS vulnerability by crafting malicious URLs containing specially crafted query parameters. The plugin's sanitizeigdata() function fails to properly sanitize array keys, allowing attackers to inject arbitrary JavaScript code. This code will then be executed in the context of the user's browser when they visit a page containing the malicious URL. Successful exploitation could lead to session hijacking, defacement of the website, or redirection to malicious sites. The lack of output escaping in ig_settings.php exacerbates the issue, directly echoing unsanitized data into the HTML.
This vulnerability was publicly disclosed on March 20, 2026. While no active exploitation campaigns have been confirmed, the ease of exploitation and the widespread use of WordPress plugins make it a potential target. No public proof-of-concept code has been released as of this writing, but the vulnerability's nature suggests that it is likely to be exploited if not patched promptly. The vulnerability is not currently listed on the CISA KEV catalog.
Websites using the WordPress Injection Guard plugin in versions 1.0.0 through 1.2.9 are at risk. Shared hosting environments are particularly vulnerable, as they often have limited control over plugin updates and security configurations. Sites relying on the plugin for security hardening are at increased risk, as attackers may target these sites with greater confidence.
• wordpress / composer / npm:
grep -r "ig_settings.php" ./• wordpress / composer / npm:
wp plugin list --status=active | grep Injection Guard• wordpress / composer / npm:
wp plugin update --all• generic web: Inspect URL query parameters for unusual characters or patterns that might indicate an XSS attempt.
disclosure
エクスプロイト状況
EPSS
0.22% (44% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade the WordPress Injection Guard plugin to version 1.3.0 or later, which addresses the sanitization and escaping flaws. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious query parameter names. Specifically, look for patterns that attempt to inject JavaScript code. Additionally, review and sanitize any user-supplied data before displaying it on the website. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via a query parameter and verifying that it is not executed.
Update to version 1.3.0, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3368 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress Injection Guard plugin, allowing attackers to inject malicious scripts via query parameters.
You are affected if you are using the WordPress Injection Guard plugin in versions 1.0.0 through 1.2.9. Upgrade to 1.3.0 or later to mitigate the risk.
Upgrade the WordPress Injection Guard plugin to version 1.3.0 or later. Consider WAF rules as a temporary workaround.
No active exploitation campaigns have been confirmed, but the vulnerability's nature makes it a potential target.
Refer to the WordPress Plugin Directory and the Injection Guard plugin's official website for updates and advisories.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。