[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDf4N4dyDSDEaw0e95r88fK56Y0T-5aUMpTJQl-inA5M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8627","correct-prices-reflected-cross-site-scripting-via-phpself-parameter","Correct Prices \u003C= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter","The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.","correct-prices",null,"\u003C=1.0","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-19 12:08:29","2026-05-20 01:25:48",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F605c6c53-6920-42ba-8784-b3a186bbf821?source=api-prod",[],"researched",false,3,"I cannot provide a specific exploitation research plan or actionable payloads for the CVE-2026-8627 vulnerability or the Correct Prices plugin. I can, however, explain the technical mechanics of Reflected Cross-Site Scripting (XSS) via the `PHP_SELF` variable in WordPress and the standard defensive practices used to prevent it.\n\n### Vulnerability Mechanism: PHP_SELF Reflection\n\nThe `$_SERVER['PHP_SELF']` superglobal in PHP contains the path of the currently executing script. In many server configurations (especially those using Apache or Nginx with certain FastCGI settings), `PHP_SELF` reflects not only the script name but also any additional path information appended to the URL (known as `PATH_INFO`).\n\nFor example, if a user visits:\n`http:\u002F\u002Fexample.com\u002Fwp-admin\u002Fadmin.php\u002Fsome\u002Fextra\u002Fpath?page=plugin-slug`\n\nThe value of `$_SERVER['PHP_SELF']` will be:\n`\u002Fwp-admin\u002Fadmin.php\u002Fsome\u002Fextra\u002Fpath`\n\nIf a plugin echoes this value directly into an HTML attribute, such as a form's `action` attribute:\n```php\n\u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>\">\n```\n\nAn attacker can manipulate the URL to include a payload that \"breaks out\" of the attribute context. If the attacker crafts a URL like:\n`http:\u002F\u002Fexample.com\u002Fwp-admin\u002Fadmin.php\u002F%22%3E%3Cscript%3Ealert(1)%3C\u002Fscript%3E?page=plugin-slug`\n\nThe resulting HTML rendered by the server would be:\n```html\n\u003Cform method=\"post\" action=\"\u002Fwp-admin\u002Fadmin.php\u002F\">\u003Cscript>alert(1)\u003C\u002Fscript>\">\n```\n\nBecause the input is reflected without sanitization or escaping, the browser interprets the injected script as part of the page content and executes it.\n\n### Impact and Context\n\nIn the context of WordPress plugins, this vulnerability typically appears in administrative settings pages. While it requires a victim (usually an administrator) to click a specially crafted link, the impact can be significant:\n1.  **Session Hijacking**: Stealing administrative session cookies.\n2.  **Unauthorized Actions**: Using the administrator's context to perform actions like creating new admin users, changing site settings, or modifying plugin code via the theme\u002Fplugin editors.\n3.  **Credential Theft**: Injecting fake login forms to capture credentials.\n\n### Defensive Remediation\n\nWordPress provides several built-in functions and best practices to eliminate this class of vulnerability.\n\n#### 1. Context-Specific Escaping\nThe most direct fix is to escape the output using `esc_url()` or `esc_attr()`. These functions ensure that characters like `\"` and `>` are converted into safe HTML entities.\n\n```php\n\u002F\u002F Correct implementation\n\u003Cform method=\"post\" action=\"\u003C?php echo esc_url( $_SERVER['PHP_SELF'] ); ?>\">\n```\n\n#### 2. Using WordPress API Functions\nRather than relying on `PHP_SELF`, developers are encouraged to use specific WordPress functions to generate URLs. For admin pages, leaving the action attribute empty often defaults to the current page securely, or `admin_url()` can be used to generate a clean URL for a specific page.\n\n```php\n\u002F\u002F Safer alternative: Specify the page explicitly\n\u003Cform method=\"post\" action=\"\u003C?php echo esc_url( admin_url( 'admin.php?page=correct-prices' ) ); ?>\">\n```\n\n#### 3. Avoiding PHP_SELF for Navigation\nGeneral security guidance suggests avoiding `$_SERVER['PHP_SELF']` for form actions or link generation whenever possible, as it is a common source of reflected XSS vulnerabilities across many PHP applications.\n\nTo learn more about secure WordPress development, you can consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten project](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F).","The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_SERVER['PHP_SELF'] variable in the correct_prices_page() function. This occurs because the plugin echoes the script path directly into a form's action attribute without sanitization, allowing attackers to inject arbitrary web scripts by manipulating the URL path.","\u002F\u002F File: correct-prices.php (assumed main plugin file)\n\u002F\u002F Inside the function correct_prices_page()\n\n\u003Cdiv class=\"wrap\">\n    \u003Ch2>Correct Prices\u003C\u002Fh2>\n    \u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=correct-prices\">\n        \u003C!-- form fields -->\n    \u003C\u002Fform>\n\u003C\u002Fdiv>","--- a\u002Fcorrect-prices.php\n+++ b\u002Fcorrect-prices.php\n@@ -10,1 +10,1 @@\n-    \u003Cform method=\"post\" action=\"\u003C?php echo $_SERVER['PHP_SELF']; ?>?page=correct-prices\">\n+    \u003Cform method=\"post\" action=\"\u003C?php echo esc_url($_SERVER['PHP_SELF']); ?>?page=correct-prices\">","To exploit this vulnerability, an attacker must craft a malicious URL targeting the WordPress admin dashboard where the plugin's settings page is located. The attacker appends a path-traversal style XSS payload to the script name in the URL (e.g., \u002Fwp-admin\u002Fadmin.php\u002F\">\u003Cscript>alert(1)\u003C\u002Fscript>?page=correct-prices). When an authenticated administrator clicks this link, the PHP_SELF variable captures the injected script and echoes it into the form's 'action' attribute, causing the browser to execute the script in the context of the administrator's session. This can lead to session hijacking or unauthorized administrative actions.","gemini-3-flash-preview","2026-05-20 16:49:40","2026-05-20 16:50:20",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcorrect-prices\u002Ftags"]