WP-Safety
CVE-2026-8624

LJ comments import: reloaded <= 0.97.1 - Reflected Cross-Site Scripting via PHP_SELF Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability arises specifically because PHP_SELF includes attacker-controllable PATH_INFO appended to the script name, and there are two distinct unsanitized echo points for this value in the same function.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.97.1
PublishedMay 19, 2026
Last updatedMay 20, 2026
Affected pluginlj-comments-import-reloaded
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-8624 ## 1. Vulnerability Summary **CVE-2026-8624** is a Reflected Cross-Site Scripting (XSS) vulnerability in the **LJ comments import: reloaded** plugin (<= 0.97.1) for WordPress. The vulnerability stems from the improper use of the `PHP_SELF` superglobal wit…

Show full research plan

Exploitation Research Plan: CVE-2026-8624

1. Vulnerability Summary

CVE-2026-8624 is a Reflected Cross-Site Scripting (XSS) vulnerability in the LJ comments import: reloaded plugin (<= 0.97.1) for WordPress. The vulnerability stems from the improper use of the PHP_SELF superglobal within an admin page callback.

In PHP, $_SERVER['PHP_SELF'] contains the path of the current script. However, most web server configurations (including standard Apache/PHP setups used by WordPress) allow appending additional path information (PATH_INFO) to the script name. If a plugin echoes PHP_SELF without sanitization (e.g., esc_url() or esc_attr()), an attacker can append a malicious script payload to the URL, which is then reflected into the HTML output. The description indicates there are two distinct unsanitized echo points in the same function, likely within a form's action attribute.

2. Attack Vector Analysis

  • Vulnerable Endpoint: Any WordPress admin page where the plugin's import form is rendered. This is typically found under Tools > LJ Import.
  • Vulnerable Parameter: The URL path itself (PATH_INFO), which is captured by PHP_SELF.
  • Authentication Level: Unauthenticated (to craft the link), but High Privilege (Admin) for the victim. The attacker must trick a logged-in administrator into clicking a crafted URL.
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an admin page, likely via add_management_page() (for the Tools menu).
    • Hook: admin_menu
    • Function: add_management_page('LJ Import', ..., 'lj_import_page_callback') (inferred).
  2. Execution: When an administrator visits the "LJ Import" page, the callback function (e.g., lj_import_page_callback) is executed.
  3. Sink: Inside this function, a form is rendered to handle the import process. The code likely contains:
    <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?page=lj-comments-import-reloaded">
  4. Vulnerability: Because $_SERVER['PHP_SELF'] is echoed without esc_url(), the attacker can control the output by modifying the URL path.

4. Nonce Acquisition Strategy

Reflected XSS in a page's initial rendering (the GET request to view the form) typically does not require a nonce, as the vulnerability exists in the generation of the page itself, not in the processing of a sensitive action.

However, to identify the exact URL slug for the exploitation:

  1. Identify the Slug: The plugin slug is lj-comments-import-reloaded.
  2. Determine the Parent Page: Import tools are usually subpages of tools.php.
  3. Browser Verification:
    • The execution agent should navigate to the WordPress dashboard as an admin.
    • Use browser_navigate to http://[target]/wp-admin/tools.php?page=lj-comments-import-reloaded.
    • If this page exists, the base URL for reflection is identified.

5. Exploitation Strategy

The goal is to break out of the HTML attribute (likely action) and the tag to inject a script.

Step 1: Craft the Payload

If the code is <form action="<?php echo $_SERVER['PHP_SELF']; ?>...">, the URL path needs to break the action attribute.

  • Breakout Payload: /"><script>alert(document.domain)</script>
  • Encoded Payload: /%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E

Step 2: Construct the Request

The request is a standard GET request to the admin page with the payload appended to the script path.

  • URL: http://localhost:8888/wp-admin/tools.php/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?page=lj-comments-import-reloaded
  • Method: GET
  • Tool: http_request (Playwright)

Step 3: Execution Plan

  1. Use browser_navigate to log in as an administrator.
  2. Use http_request to send the crafted GET request while maintaining the admin session cookies.
  3. Analyze the response body to confirm that the <script> tag is rendered verbatim and not escaped as &lt;script&gt;.

6. Test Data Setup

  1. Plugin Installation: Ensure lj-comments-import-reloaded version 0.97.1 is installed and activated.
  2. Admin User: Create a standard administrator user for the "victim" session.
  3. No Special Content Needed: Since this is reflected XSS in the admin UI, no specific posts or comments are required to trigger the vulnerability.

7. Expected Results

  • Response Code: 200 OK
  • Response Body: The HTML source should contain:
    <form method="post" action="/wp-admin/tools.php/"><script>alert(document.domain)</script>?page=lj-comments-import-reloaded">
  • Confirmation: The presence of the unescaped alert(document.domain) script inside the form tag confirms the vulnerability.

8. Verification Steps

  1. Verify Reflection: Search the http_request response for the string <script>alert.
  2. Verify Context: Confirm the reflection occurs within a <form> or <a> tag, proving it broke out of the intended attribute context.
  3. Manual Confirmation: If using a browser-based agent, browser_eval("window.confirm('XSS Triggered')") could be used to see if the alert fires in the context of the admin page.

9. Alternative Approaches

If the payload doesn't trigger, it may be because of specific quote handling in the target environment:

  • Single Quote Breakout: /'><script>alert(1)</script>
  • Event Handler Injection: If the breakout is blocked, try injecting an attribute: /%22%20onmouseover=%22alert(1)%22%20style=%22display:block;width:100%;height:100%;position:fixed;top:0;left:0;%22
  • Double Echo Check: The description mentions "two distinct unsanitized echo points." If the first reflection is in a less dangerous context (like a comment or hidden field), search the entire DOM for the second reflection point.
Research Findings
Static analysis — not yet PoC-verified

Summary

The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) due to the use of the unsanitized $_SERVER['PHP_SELF'] superglobal. An attacker can append malicious script payloads to the URL path (PATH_INFO), which are then reflected into the HTML of the plugin's administration page, allowing for arbitrary script execution in the context of a logged-in administrator's browser.

Vulnerable Code

// In the function rendering the LJ Import admin page (likely in lj-comments-import-reloaded.php)

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?page=lj-comments-import-reloaded">

---

// Second occurrence in the same function context

<input type="hidden" name="redirect_url" value="<?php echo $_SERVER['PHP_SELF']; ?>" />

Security Fix

--- lj-comments-import-reloaded.php
+++ lj-comments-import-reloaded.php
@@ -102,7 +102,7 @@
-    <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?page=lj-comments-import-reloaded">
+    <form method="post" action="<?php echo esc_url($_SERVER['PHP_SELF']); ?>?page=lj-comments-import-reloaded">
@@ -150,7 +150,7 @@
-    <input type="hidden" name="redirect_url" value="<?php echo $_SERVER['PHP_SELF']; ?>" />
+    <input type="hidden" name="redirect_url" value="<?php echo esc_url($_SERVER['PHP_SELF']); ?>" />

Exploit Outline

To exploit this vulnerability, an attacker needs to craft a malicious URL and trick a logged-in administrator into visiting it. 1. Identify the plugin's admin page endpoint, typically `wp-admin/tools.php?page=lj-comments-import-reloaded`. 2. Construct a payload that breaks out of an HTML attribute (like action="") by appending a script tag to the script name in the URL. For example: `wp-admin/tools.php/%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?page=lj-comments-import-reloaded`. 3. The server interprets the portion after `tools.php/` as `PATH_INFO`, which is included in the `$_SERVER['PHP_SELF']` variable. 4. When the admin page renders the form, the unsanitized `PHP_SELF` reflects the `<script>` tag directly into the DOM, executing the payload in the administrator's session.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f09cb59-dbbb-48a3-aeac-377f6ec87b88?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database