CVE-2026-39463

Vulnerability

The ManageWP Worker plugin for WordPress versions up to and including 4.9.31 contains an unauthenticated Cross-Site Scripting (XSS) vulnerability. The flaw allows an attacker to inject arbitrary JavaScript into the application without requiring authentication, though successful exploitation depends on a privileged user performing an action such as clicking a crafted link or visiting a malicious page. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or page that, when interacted with by a user with administrative or other privileged roles, triggers the XSS payload. No prior authentication is needed for the attacker; the attack vector is network-based and requires user interaction from a logged-in user. The attacker does not need any special privileges or write access to the site. [1]

Impact

If successfully exploited, the attacker can inject arbitrary HTML and JavaScript into the victim's browser, leading to actions such as redirecting visitors to malicious sites, displaying advertisements, or other HTML payloads. This can result in defacement, phishing attacks, or further compromise of the WordPress site and its users. The impact is limited to the context of the affected site and the privileges of the user who triggered the payload. [1]

Mitigation

The vulnerability is fixed in version 4.9.32 of the ManageWP Worker plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack has provided a mitigation rule to block attacks until the update can be applied. No other workarounds are documented in the available reference. [1]