CVE-2026-8628
Deferred Deferred - Pending Action

Reflected Cross-Site Scripting in EntreDroppers WordPress Plugin

Vulnerability report for CVE-2026-8628, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description

The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The payload is delivered via attacker-controlled path-info in the URL (e.g., /wp-admin/admin.php/"><script>alert(0)</script>/?page=EntreDroppers.php), which PHP_SELF reflects directly into the form action attribute.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
entre_droppers entre_droppers_plugin to 1.1.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking for reflected Cross-Site Scripting (XSS) attempts involving the PHP_SELF parameter in URLs targeting the EntreDroppers WordPress plugin. Specifically, look for URLs containing suspicious script tags or payloads injected into the path-info portion of the URL, such as /wp-admin/admin.php/">&lt;script&gt;alert(0)&lt;/script&gt;/?page=EntreDroppers.php.

To detect such attempts on your system or network, you can monitor web server logs for requests containing suspicious script tags or unusual URL patterns targeting the EntreDroppers plugin.

  • Use grep or similar tools to search web server access logs for suspicious payloads, for example:
  • grep -i "<script>" /var/log/apache2/access.log
  • grep -E "admin.php/.+<script>" /var/log/apache2/access.log
  • Additionally, you can use curl or wget to test if the vulnerability is present by sending crafted URLs with script payloads in the PHP_SELF parameter and observing if the script is reflected in the response.
Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts via reflected cross-site scripting (XSS), which can lead to unauthorized access to user data or session hijacking.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.

Failure to mitigate this vulnerability could result in data breaches or exposure of personal information, potentially violating these regulations.

Executive Summary

The EntreDroppers plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.1.2. This occurs because the plugin does not properly sanitize or escape input from the PHP_SELF parameter. An attacker can craft a malicious URL containing script code in the path-info, which is then reflected directly into the form action attribute on the page. If a user clicks on such a link, the injected script executes in their browser.

Impact Analysis

This vulnerability allows unauthenticated attackers to inject and execute arbitrary scripts in the context of the affected website. This can lead to theft of user credentials, session hijacking, defacement, or redirection to malicious sites. Because the attack requires tricking a user into clicking a crafted link, it can compromise user trust and the security of user data.

Mitigation Strategies

Immediate mitigation steps include updating the EntreDroppers WordPress plugin to a version later than 1.1.2 where the vulnerability is fixed.

If an update is not immediately available, consider disabling or removing the EntreDroppers plugin to prevent exploitation.

Additionally, implement Web Application Firewall (WAF) rules to block requests containing suspicious script payloads targeting the PHP_SELF parameter.

Educate users to avoid clicking on suspicious links that may contain malicious payloads exploiting this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8628. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart