Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-3718: XSS in ManageWP Worker WordPress Plugin
Platform
wordpress
Component
worker
Opgelost in
4.9.32
CVE-2026-3718 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the ManageWP Worker plugin for WordPress. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to account compromise and data theft. The vulnerability affects versions 0.0.0 through 4.9.31 of the plugin, but has been resolved in version 4.9.32.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2026-3718 allows an attacker to inject and execute malicious JavaScript code within the context of an administrator's session. This can lead to a variety of attacks, including session hijacking, credential theft (e.g., stealing WordPress administrator passwords), and defacement of the WordPress site. The attacker could also redirect administrators to phishing sites or install malware. Because the vulnerability is stored, the injected script executes every time an administrator visits the plugin's connection management page with debug parameters, amplifying the potential impact. The lack of authentication requirements makes this vulnerability particularly concerning, as it can be exploited by anyone with access to send HTTP requests.
Uitbuitingscontextwordt vertaald…
CVE-2026-3718 was published on May 14, 2026. As of this date, there are no publicly known active campaigns exploiting this vulnerability. No entries on KEV or EPSS are available. The CVSS score of 7.2 (HIGH) indicates a significant risk, and the ease of exploitation (unauthenticated) suggests potential for widespread exploitation if a public proof-of-concept is released. Refer to the official ManageWP advisory for further details.
Dreigingsinformatie
Exploit Status
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Laag — gedeeltelijke toegang tot enkele gegevens.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-3718 is to upgrade the ManageWP Worker plugin to version 4.9.32 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a temporary workaround by filtering or sanitizing the 'MWP-Key-Name' HTTP request header on the web server. This can be achieved using web application firewall (WAF) rules or proxy configurations to block or modify suspicious header values. Additionally, disable debug parameters on the plugin's connection management page to reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the 'MWP-Key-Name' header and verifying that it is not executed.
Hoe te verhelpen
Update naar versie 4.9.32, of een nieuwere gepatchte versie
Veelgestelde vragenwordt vertaald…
What is CVE-2026-3718 — XSS in ManageWP Worker WordPress Plugin?
CVE-2026-3718 is a stored Cross-Site Scripting (XSS) vulnerability affecting the ManageWP Worker WordPress plugin. It allows attackers to inject malicious scripts via the 'MWP-Key-Name' HTTP header, potentially compromising administrator accounts.
Am I affected by CVE-2026-3718 in ManageWP Worker WordPress Plugin?
You are affected if you are using ManageWP Worker plugin versions 0.0.0 through 4.9.31. Upgrade to version 4.9.32 or later to mitigate the risk.
How do I fix CVE-2026-3718 in ManageWP Worker WordPress Plugin?
Upgrade the ManageWP Worker plugin to version 4.9.32 or later. As a temporary workaround, filter or sanitize the 'MWP-Key-Name' HTTP header on your web server.
Is CVE-2026-3718 being actively exploited?
As of May 14, 2026, there are no publicly known active campaigns exploiting CVE-2026-3718, but the HIGH severity score warrants immediate attention.
Where can I find the official ManageWP advisory for CVE-2026-3718?
Refer to the official ManageWP advisory for the most up-to-date information and guidance regarding CVE-2026-3718. Check the ManageWP website or their security blog for announcements.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Scan nu uw WordPress project — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...