CVE-2026-8626
Deferred Deferred - Pending Action
Reflected Cross-Site Scripting in SponsorMe WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PHP_SELF value is reflected in two separate locations within the vulnerable function β€” a form action attribute and an anchor href attribute β€” both of which can be exploited by appending a crafted payload to the wp-admin/admin.php URL path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-09
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8626
EUVD
EUVD-2026-31024
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sponsorme plugin to 0.5.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The SponsorMe plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability in all versions up to and including 0.5.2. This occurs because the plugin does not properly sanitize or escape input from the PHP_SELF parameter. An attacker can craft a malicious URL that includes a script payload in the PHP_SELF value, which is then reflected in two places on the page: a form's action attribute and an anchor's href attribute. If a user clicks on such a crafted link, the injected script executes in their browser.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject and execute arbitrary scripts in the context of a user's browser session. This can lead to various impacts such as theft of user credentials, session hijacking, or performing actions on behalf of the user without their consent. Since the attack requires tricking a user into clicking a malicious link, it relies on social engineering but can compromise user data and site integrity.

Detection Guidance

This vulnerability can be detected by checking for reflected Cross-Site Scripting (XSS) attempts involving the PHP_SELF parameter in the SponsorMe WordPress plugin. Specifically, monitoring HTTP requests to wp-admin/admin.php with suspicious or crafted payloads appended to the URL path can help identify exploitation attempts.

You can use network monitoring tools or web server logs to look for requests containing unusual or encoded scripts in the PHP_SELF parameter.

Example commands to detect such attempts include:

  • Using grep on web server logs to find suspicious requests: grep -i "wp-admin/admin.php" /var/log/apache2/access.log | grep -E "<script|%3Cscript"
  • Using curl to test if the site is vulnerable by sending a crafted URL payload: curl -i "http://yourwordpresssite/wp-admin/admin.php/<script>alert(1)</script>"
  • Using a web vulnerability scanner that supports reflected XSS detection on the PHP_SELF parameter in the SponsorMe plugin.
Mitigation Strategies

Immediate mitigation steps include:

  • Update the SponsorMe plugin to a version later than 0.5.2 where the vulnerability is fixed.
  • If an update is not immediately available, restrict access to the wp-admin/admin.php page or disable the SponsorMe plugin temporarily.
  • Implement Web Application Firewall (WAF) rules to block requests containing suspicious payloads in the PHP_SELF parameter.
  • Educate users to avoid clicking on suspicious links that could exploit this reflected XSS vulnerability.
Compliance Impact

The CVE description does not provide specific information on how the SponsorMe plugin vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8626. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart