Description
The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability arises specifically because PHP_SELF includes attacker-controllable PATH_INFO appended to the script name, and there are two distinct unsanitized echo points for this value in the same function.
Published: 2026-05-20
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LJ comments import: reloaded plugin handles the PHP_SELF variable without proper sanitization or output escaping, creating two echo points that an attacker can manipulate to embed malicious scripts. An unauthenticated attacker can craft a URL that, when visited by a user, causes arbitrary client‑side code to run. The impact is the execution of injected scripts in the victim’s browser, potentially leading to session theft, defacement, or other downstream attacks.

Affected Systems

The plugin "LJ comments import: reloaded" for WordPress, used by the etspring vendor, is affected in all releases up to and including version 0.97.1. No other versions are identified as vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity vulnerability. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, so a widespread exploitation is not documented. However, the vulnerability is exploitable via a crafted link, making it feasible for an attacker to deliver a reflected XSS payload to a user who follows the malicious URL. Overall the risk is moderate, and the likelihood of exploitation depends on the attacker’s ability to entice users to trigger the request.

Generated by OpenCVE AI on May 20, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LJ comments import: reloaded plugin to a version newer than 0.97.1.
  • If an update cannot be applied immediately, disable or remove the plugin until a patch is available.
  • Implement server‑side sanitization for the PHP_SELF value and ensure that any echoed data is properly escaped to prevent reflected XSS.

Generated by OpenCVE AI on May 20, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Etspring
Etspring lj Comments Import: Reloaded
Wordpress
Wordpress wordpress
Vendors & Products Etspring
Etspring lj Comments Import: Reloaded
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability arises specifically because PHP_SELF includes attacker-controllable PATH_INFO appended to the script name, and there are two distinct unsanitized echo points for this value in the same function.
Title LJ comments import: reloaded <= 0.97.1 - Reflected Cross-Site Scripting via PHP_SELF Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Etspring Lj Comments Import: Reloaded
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T01:25:45.994Z

Reserved: 2026-05-14T18:41:43.800Z

Link: CVE-2026-8624

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T02:16:40.693

Modified: 2026-05-20T02:16:40.693

Link: CVE-2026-8624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:35Z

Weaknesses