The Injection Guard plugin for WordPress, developed by fahadmahmood, suffers from a stored cross-site scripting vulnerability (CVE-2026-3368) due to improper input neutralization (CWE-79). The vulnerability exists in all versions up to and including 1.2.9. The root cause is insufficient sanitization of query parameter keys in the sanitize_ig_data() function, which sanitizes only array values but neglects array keys. When a request is made, the plugin captures the raw query string from $_SERVER['QUERY_STRING'], applies esc_url_raw(), which does not fully encode special characters, and then uses parse_str() to decode the string. This process results in decoded HTML or JavaScript code embedded in the array keys. These keys are stored persistently using update_option('ig_requests_log'). Later, when the admin views the Injection Guard log page (ig_settings.php), these stored keys are output directly into HTML without proper escaping functions like esc_html() or esc_attr(), enabling stored XSS. An unauthenticated attacker can craft a malicious URL with specially crafted query parameters that inject JavaScript into the admin interface. When an administrator accesses the log page, the malicious script executes in their browser context, potentially allowing session hijacking, credential theft, or further administrative actions. The vulnerability has a CVSS 3.1 base score of 7.2 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change with partial confidentiality and integrity impact but no availability impact. No public exploits are currently known, but the vulnerability's characteristics make it a critical concern for sites using this plugin.

This vulnerability poses a significant risk to organizations running WordPress sites with the Injection Guard plugin installed. Since exploitation requires no authentication and can be triggered remotely, attackers can inject persistent malicious scripts that execute in the context of site administrators. This can lead to administrative account compromise, theft of sensitive credentials, unauthorized changes to site configurations, or deployment of further malware. The scope of impact extends to any organization relying on the plugin for security monitoring, as the logs themselves become an attack vector. Compromise of administrative accounts can cascade into full site takeover, data breaches, and reputational damage. Given WordPress's widespread use globally, the vulnerability could affect a broad range of sectors including e-commerce, government, education, and media. The absence of known exploits in the wild currently limits immediate widespread damage, but the vulnerability is likely to attract attackers once publicized, increasing risk over time.

1. Immediate upgrade: Apply any available patches or updates from the plugin developer addressing this vulnerability. If no patch exists, consider disabling or uninstalling the Injection Guard plugin until a fix is released. 2. Input sanitization: Developers should modify sanitize_ig_data() to sanitize both array keys and values, ensuring no malicious code can be stored. 3. Output escaping: Ensure all data rendered in the admin log page is properly escaped using WordPress functions such as esc_html() or esc_attr() to prevent script execution. 4. Access control: Restrict access to the Injection Guard log page to trusted administrators only, and consider additional authentication layers or IP whitelisting. 5. Monitoring: Implement monitoring for suspicious query strings and unusual admin log page access patterns. 6. Web Application Firewall (WAF): Deploy WAF rules to detect and block malicious query parameters targeting this vulnerability. 7. Security awareness: Educate administrators to be cautious when accessing plugin logs and to report unexpected behaviors. 8. Backup: Maintain regular backups of site data and configurations to enable recovery in case of compromise.