CVE-2026-3718: XSS in ManageWP Worker WordPress Plugin

Successful exploitation of CVE-2026-3718 allows an attacker to inject and execute malicious JavaScript code within the context of an administrator's session. This can lead to a variety of attacks, including session hijacking, credential theft (e.g., stealing WordPress administrator passwords), and defacement of the WordPress site. The attacker could also redirect administrators to phishing sites or install malware. Because the vulnerability is stored, the injected script executes every time an administrator visits the plugin's connection management page with debug parameters, amplifying the potential impact. The lack of authentication requirements makes this vulnerability particularly concerning, as it can be exploited by anyone with access to send HTTP requests.

1. Reservado2026-03-07
2. Publicada2026-05-14

The primary mitigation for CVE-2026-3718 is to upgrade the ManageWP Worker plugin to version 4.9.32 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a temporary workaround by filtering or sanitizing the 'MWP-Key-Name' HTTP request header on the web server. This can be achieved using web application firewall (WAF) rules or proxy configurations to block or modify suspicious header values. Additionally, disable debug parameters on the plugin's connection management page to reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the 'MWP-Key-Name' header and verifying that it is not executed.