CVE-2026-8627
Reflected Cross-Site Scripting in Correct Prices WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| correct_prices | plugin | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Correct Prices plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0. This occurs because the plugin's correct_prices_page() function outputs the $_SERVER['PHP_SELF'] variable directly into a form's action attribute without sanitizing or escaping it.
Since $_SERVER['PHP_SELF'] reflects attacker-controlled path information appended to the script URL, an attacker can manipulate this to break out of the attribute and inject arbitrary malicious markup or scripts.
This vulnerability allows unauthenticated attackers to inject and execute arbitrary web scripts if they can trick a user into clicking a specially crafted link.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of arbitrary scripts in the context of the affected website, which can result in several impacts:
- An attacker could steal sensitive information such as cookies, session tokens, or other private data.
- It could allow attackers to perform actions on behalf of the user (session hijacking).
- Users might be redirected to malicious sites or shown fraudulent content.
- Because the attack requires user interaction (clicking a crafted link), it can be used in phishing or social engineering attacks.