ManageWP Worker Plugin Vulnerable to Unauthenticated XSS (CVE-2026-3718)
The National Vulnerability Database has disclosed CVE-2026-3718, detailing a Stored Cross-Site Scripting (XSS) vulnerability in the ManageWP Worker plugin for WordPress. Affecting all versions up to and including 4.9.31, this flaw stems from inadequate input sanitization and output escaping of HTTP request header values, specifically MWP-Key-Name.
This vulnerability allows unauthenticated attackers to inject arbitrary web scripts. These scripts then execute whenever an administrator visits the plugin’s connection management page with debug parameters. With a CVSS score of 7.2 (High), the impact is significant, enabling attackers to compromise administrative sessions or redirect users, leading to further system compromise.
For defenders, this is a critical reminder that even seemingly innocuous HTTP headers can be attack vectors. The attacker’s calculus here is low effort, high reward: no authentication needed, just a cleverly crafted header to set up a persistent XSS that triggers on an admin visit. This is a classic client-side attack that can cascade into full server compromise if the admin’s session is hijacked.
What This Means For You
- If your organization uses WordPress with the ManageWP Worker plugin, you need to verify your installed version immediately. Patching to a version beyond 4.9.31 is paramount. Beyond patching, review your web application firewall (WAF) rules to ensure robust input validation and consider implementing Content Security Policy (CSP) headers to mitigate potential XSS exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-3718 - ManageWP Worker Plugin Unauthenticated XSS via MWP-Key-Name Header
title: CVE-2026-3718 - ManageWP Worker Plugin Unauthenticated XSS via MWP-Key-Name Header
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-3718 by looking for HTTP POST requests to the WordPress AJAX handler containing the vulnerable 'MWP-Key-Name' header. This header is used by the ManageWP Worker plugin and is susceptible to unauthenticated XSS due to insufficient sanitization.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-3718/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
uri|contains:
- '/wp-admin/admin-ajax.php'
header|contains:
- 'MWP-Key-Name'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3718 | XSS | ManageWP Worker plugin for WordPress versions <= 4.9.31 |
| CVE-2026-3718 | XSS | Vulnerable component: 'MWP-Key-Name' HTTP request header |
| CVE-2026-3718 | XSS | Attack vector: Insufficient input sanitization and output escaping of header values |
| CVE-2026-3718 | XSS | Affected page: plugin's connection management page with debug parameters |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 10:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6670 — Path Traversal
CVE-2026-6670 — The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and...
CVE-2026-6510: Critical Privilege Escalation in InfusedWoo Pro WordPress Plugin
CVE-2026-6510 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This...
InfusedWoo Pro Plugin Privilege Escalation (CVE-2026-6506)
CVE-2026-6506 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to...