CVE-2026-39463: WordPress ManageWP Worker plugin <= 4.9.31 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A reflected or stored cross-site scripting (XSS) vulnerability affects the ManageWP Worker WordPress plugin at version 4.9.31 and earlier. It is exploitable over the network with no authentication required, but a victim must be social-engineered into triggering the malicious request. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, UI redirection, and limited data tampering. No upstream fix has been published; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-39463 is available across every HarborGuard environment - the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the ManageWP Worker plugin. Any image carrying the affected plugin version at or below 4.9.31 is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 7.1 (High) using the published v3.1 vector, and can apply per-environment compliance policy weighting to escalate or suppress priority accordingly. Findings are routable to the appropriate team inbox within each customer organization based on workload ownership and policy configuration.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the ManageWP Worker maintainers ship a corrected release. In the meantime, the finding remains open and active in each affected environment's vulnerability queue.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the vulnerable WordPress service over the network to deliver the malicious payload.
- AuthenticationNot required
No account or credentials are needed; the attack can be launched by any unauthenticated party.
- Victim interactionRequired
A logged-in user (typically an administrator or editor) must be induced to click a crafted link or visit a page containing the injected payload for the attack to succeed.
- Attack complexityDetail
The exploit is reliable and requires no special race conditions or environmental prerequisites beyond delivering the malicious request to the victim.
Blast Radius
- Reads browser session cookies and authentication tokens belonging to the victim, enabling account takeover of the affected WordPress user.
- Injects content or redirects into the victim's browser session, allowing UI manipulation or phishing within the trusted site origin.
- Performs limited unauthorized modifications through the victim's session, such as publishing or altering WordPress content on their behalf.
How HarborGuard Handles This
Available on HarborGuard: images containing ManageWP Worker at or below version 4.9.31 are automatically flagged against this CVE as soon as it matches ingest feeds. Because no upstream fix exists yet, HarborGuard will continue polling the advisory on every ingest cycle and will surface a patched-image rebuild the moment a corrected plugin version is published. While waiting for an upstream fix, customers can apply compensating controls such as network-policy rules that restrict unauthenticated external access to WordPress admin endpoints, web application firewall rules targeting reflected XSS patterns in plugin-specific request parameters, and feature-flag or plugin-deactivation options within the WordPress environment. For customers with auto-remediation enabled, a rebuild and regression test run will be triggered automatically once a fix version appears, with a PR opened against affected workloads to minimize time to resolution.
- ManageWP / ManageWP Worker≤ 4.9.31
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L