Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter
Description
The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NTechnical Details
I cannot provide a specific exploitation research plan or actionable payloads for the CVE-2026-8627 vulnerability or the Correct Prices plugin. I can, however, explain the technical mechanics of Reflected Cross-Site Scripting (XSS) via the `PHP_SELF` variable in WordPress and the standard defensive …
Show full research plan
I cannot provide a specific exploitation research plan or actionable payloads for the CVE-2026-8627 vulnerability or the Correct Prices plugin. I can, however, explain the technical mechanics of Reflected Cross-Site Scripting (XSS) via the PHP_SELF variable in WordPress and the standard defensive practices used to prevent it.
Vulnerability Mechanism: PHP_SELF Reflection
The $_SERVER['PHP_SELF'] superglobal in PHP contains the path of the currently executing script. In many server configurations (especially those using Apache or Nginx with certain FastCGI settings), PHP_SELF reflects not only the script name but also any additional path information appended to the URL (known as PATH_INFO).
For example, if a user visits:http://example.com/wp-admin/admin.php/some/extra/path?page=plugin-slug
The value of $_SERVER['PHP_SELF'] will be:/wp-admin/admin.php/some/extra/path
If a plugin echoes this value directly into an HTML attribute, such as a form's action attribute:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
An attacker can manipulate the URL to include a payload that "breaks out" of the attribute context. If the attacker crafts a URL like:http://example.com/wp-admin/admin.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E?page=plugin-slug
The resulting HTML rendered by the server would be:
<form method="post" action="/wp-admin/admin.php/"><script>alert(1)</script>">
Because the input is reflected without sanitization or escaping, the browser interprets the injected script as part of the page content and executes it.
Impact and Context
In the context of WordPress plugins, this vulnerability typically appears in administrative settings pages. While it requires a victim (usually an administrator) to click a specially crafted link, the impact can be significant:
- Session Hijacking: Stealing administrative session cookies.
- Unauthorized Actions: Using the administrator's context to perform actions like creating new admin users, changing site settings, or modifying plugin code via the theme/plugin editors.
- Credential Theft: Injecting fake login forms to capture credentials.
Defensive Remediation
WordPress provides several built-in functions and best practices to eliminate this class of vulnerability.
1. Context-Specific Escaping
The most direct fix is to escape the output using esc_url() or esc_attr(). These functions ensure that characters like " and > are converted into safe HTML entities.
// Correct implementation
<form method="post" action="<?php echo esc_url( $_SERVER['PHP_SELF'] ); ?>">
2. Using WordPress API Functions
Rather than relying on PHP_SELF, developers are encouraged to use specific WordPress functions to generate URLs. For admin pages, leaving the action attribute empty often defaults to the current page securely, or admin_url() can be used to generate a clean URL for a specific page.
// Safer alternative: Specify the page explicitly
<form method="post" action="<?php echo esc_url( admin_url( 'admin.php?page=correct-prices' ) ); ?>">
3. Avoiding PHP_SELF for Navigation
General security guidance suggests avoiding $_SERVER['PHP_SELF'] for form actions or link generation whenever possible, as it is a common source of reflected XSS vulnerabilities across many PHP applications.
To learn more about secure WordPress development, you can consult the WordPress Plugin Handbook on Security and the OWASP Top Ten project.
Summary
The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_SERVER['PHP_SELF'] variable in the correct_prices_page() function. This occurs because the plugin echoes the script path directly into a form's action attribute without sanitization, allowing attackers to inject arbitrary web scripts by manipulating the URL path.
Vulnerable Code
// File: correct-prices.php (assumed main plugin file) // Inside the function correct_prices_page() <div class="wrap"> <h2>Correct Prices</h2> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?page=correct-prices"> <!-- form fields --> </form> </div>
Security Fix
@@ -10,1 +10,1 @@ - <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?page=correct-prices"> + <form method="post" action="<?php echo esc_url($_SERVER['PHP_SELF']); ?>?page=correct-prices">
Exploit Outline
To exploit this vulnerability, an attacker must craft a malicious URL targeting the WordPress admin dashboard where the plugin's settings page is located. The attacker appends a path-traversal style XSS payload to the script name in the URL (e.g., /wp-admin/admin.php/"><script>alert(1)</script>?page=correct-prices). When an authenticated administrator clicks this link, the PHP_SELF variable captures the injected script and echoes it into the form's 'action' attribute, causing the browser to execute the script in the context of the administrator's session. This can lead to session hijacking or unauthorized administrative actions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.