CVE-2026-8627
Deferred Deferred - Pending Action
Reflected Cross-Site Scripting in Correct Prices WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-09
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8627
EUVD
EUVD-2026-31023
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
correct_prices plugin to 1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Correct Prices plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0. This occurs because the plugin's correct_prices_page() function outputs the $_SERVER['PHP_SELF'] variable directly into a form's action attribute without sanitizing or escaping it.

Since $_SERVER['PHP_SELF'] reflects attacker-controlled path information appended to the script URL, an attacker can manipulate this to break out of the attribute and inject arbitrary malicious markup or scripts.

This vulnerability allows unauthenticated attackers to inject and execute arbitrary web scripts if they can trick a user into clicking a specially crafted link.

Impact Analysis

This vulnerability can lead to the execution of arbitrary scripts in the context of the affected website, which can result in several impacts:

  • An attacker could steal sensitive information such as cookies, session tokens, or other private data.
  • It could allow attackers to perform actions on behalf of the user (session hijacking).
  • Users might be redirected to malicious sites or shown fraudulent content.
  • Because the attack requires user interaction (clicking a crafted link), it can be used in phishing or social engineering attacks.
Detection Guidance

This vulnerability involves reflected Cross-Site Scripting (XSS) via the $_SERVER['PHP_SELF'] variable in the Correct Prices WordPress plugin up to version 1.0. Detection typically involves checking if the plugin is installed and its version, and testing for reflected XSS by sending specially crafted requests that include script payloads in the URL path.

One way to detect this vulnerability is to inspect HTTP requests to pages using the Correct Prices plugin and observe if the PHP_SELF variable is reflected unsanitized in the HTML form action attribute.

  • Use curl or a browser to send a request with a crafted URL path containing a script payload, for example: curl -v "http://example.com/wp-admin/admin.php?page=correct_prices/%22%3E%3Cscript%3Ealert(1)%3C/script%3E"
  • Check the response HTML for the presence of the injected script in the form's action attribute.
  • Use automated scanners or tools that detect reflected XSS vulnerabilities by analyzing URL parameters and reflected content.
Mitigation Strategies

Immediate mitigation steps include updating the Correct Prices plugin to a version that fixes the vulnerability if available.

If an update is not available, temporarily disable or remove the plugin to prevent exploitation.

As a workaround, apply input sanitization and output escaping to the PHP_SELF variable in the plugin code, such as using esc_url() or esc_attr() functions in WordPress to properly escape the form action attribute.

Additionally, educate users to avoid clicking on suspicious links that could exploit this reflected XSS vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8627. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart