CVE-2026-8627 Overview
CVE-2026-8627 is a Reflected Cross-Site Scripting (XSS) vulnerability in the Correct Prices plugin for WordPress, affecting versions up to and including 1.0. The flaw exists in the correct_prices_page() function, which echoes the $_SERVER['PHP_SELF'] variable into a form's action attribute without sanitization or escaping. An unauthenticated attacker can append crafted path-info to the script URL and inject arbitrary HTML or JavaScript. Successful exploitation requires user interaction, such as clicking a malicious link. The injected script then executes in the victim's browser session.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in a victim's browser session, enabling session theft, credential harvesting, or administrative action hijacking when an authenticated WordPress user visits a crafted link.
Affected Products
- Correct Prices plugin for WordPress, versions up to and including 1.0
- WordPress sites with the plugin installed and activated
- Any end user or administrator browsing pages rendered by the plugin
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-8627 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8627
Vulnerability Analysis
The vulnerability is a Reflected Cross-Site Scripting flaw classified under [CWE-79]. The plugin's correct_prices_page() function renders an HTML form whose action attribute is built directly from the $_SERVER['PHP_SELF'] superglobal. PHP populates PHP_SELF from the request URI, including any path-info appended after the script name. Because the value is echoed without esc_url() or esc_attr(), attacker-controlled characters such as double quotes and angle brackets pass through unfiltered. An attacker can therefore close the action attribute and inject arbitrary markup, including <script> tags or event-handler attributes.
The attack requires user interaction, which limits opportunistic exploitation. However, the scope is changed because injected script executes in the WordPress site origin and can act on behalf of authenticated victims. Stolen session cookies or forged administrative requests can lead to full site compromise. The exploitation prerequisites are minimal: no authentication is required, attack complexity is low, and the payload travels in a single crafted URL suitable for phishing or social engineering.
Root Cause
The root cause is unsanitized reflection of a user-controllable server variable into HTML output. WordPress provides esc_url() and esc_attr() for exactly this scenario, but the plugin omits both. The developer assumed PHP_SELF is trusted, while in practice the web server populates it from the request URI path component.
Attack Vector
An attacker crafts a URL of the form https://victim.example/wp-admin/admin.php/"><script>...</script>?page=correct_prices. When an authenticated WordPress user clicks the link, the plugin renders the form with the injected payload inside the action attribute. The browser parses the broken-out markup and executes the attacker's script in the site's origin.
The vulnerability is reflected rather than stored, so each victim must be lured individually. No verified public exploit is currently catalogued, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
// No verified public exploit code is available.
// See the Wordfence advisory and WordPress plugin source for technical detail.
Detection Methods for CVE-2026-8627
Indicators of Compromise
- Web server access logs containing requests to correct_prices admin pages with path-info segments that include URL-encoded <, >, ", or script tokens
- Referrer headers pointing to external domains immediately preceding suspicious requests to plugin endpoints
- Outbound browser requests from administrator sessions to attacker-controlled domains shortly after clicking external links
Detection Strategies
- Inspect HTTP request URIs for path-info appended after .php script names containing HTML metacharacters or javascript: schemes
- Deploy a Web Application Firewall (WAF) rule that flags requests to WordPress admin pages whose REQUEST_URI contains <, >, ", or %3C/%3E sequences after the script name
- Review browser-side Content Security Policy (CSP) violation reports for inline script blocked on plugin-rendered pages
Monitoring Recommendations
- Log and alert on administrative sessions making unexpected POST requests after visiting external referrers
- Track WordPress audit events for unusual settings changes or new user creation correlated with admin-area XSS request patterns
- Monitor file-integrity baselines for the correct-prices plugin directory to detect tampering or replacement
How to Mitigate CVE-2026-8627
Immediate Actions Required
- Deactivate and remove the Correct Prices plugin until an official patched release is published
- Force a password reset and session invalidation for WordPress administrators who may have clicked suspicious links
- Apply WAF rules that strip or block HTML metacharacters in PATH_INFO for WordPress admin endpoints
Patch Information
No fixed version is identified in the published advisory at the time of writing. The plugin source remains vulnerable in versions up to and including 1.0. Review the Wordfence Vulnerability Report and the WordPress Plugin Source Code for ongoing updates.
Workarounds
- Replace $_SERVER['PHP_SELF'] references in the plugin with esc_url(admin_url('admin.php?page=correct_prices')) if maintaining a local fork
- Restrict access to the WordPress admin area by IP allow-list at the web server or reverse proxy
- Configure a strict Content Security Policy that disallows inline scripts on admin pages to neutralize injected payloads
# Example nginx rule to drop admin requests with HTML metacharacters in PATH_INFO
location ~ ^/wp-admin/.*\.php(/.*)?$ {
if ($request_uri ~* "\.php/.*[<>\"]") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
