CVE-2026-3348
Description
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the redirect page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in MinhNhut Link Gateway plugin settings allows admin-level attackers to inject scripts that execute on the redirect page, affecting multi-site or unfiltered_html disabled sites.
Vulnerability
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in its settings fields, including Description, Title, and others. The vulnerability affects all versions up to and including 3.6.1. It stems from insufficient input sanitization and output escaping in the plugin's settings page, as seen in the source code at classes.php [1]. The malicious script is stored and executed when a user accesses the redirect page.
Exploitation
An attacker must be authenticated with Administrator-level privileges or higher. The attack is only possible on multi-site installations or instances where the unfiltered_html capability has been disabled for administrators. The attacker injects arbitrary web scripts into the plugin settings (e.g., the Description or Title fields). When any user visits the redirect page generated by the plugin, the injected script executes in the context of that user's browser.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of users visiting the redirect page. This can lead to session hijacking, defacement, or theft of sensitive information. The attacker can potentially perform actions on behalf of the victim, as the script executes in the context of the affected WordPress site.
Mitigation
The vendor has not yet released a patched version. Users should restrict Administrator access to trusted individuals only, especially on multi-site installations. If possible, enable the unfiltered_html capability for administrators (though this may introduce other risks). As of the publication date, no official fix has been released.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=3.6.1+ 1 more
- (no CPE)range: <=3.6.1
- (no CPE)range: <=3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.