Description
The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PHP_SELF value is reflected in two separate locations within the vulnerable function — a form action attribute and an anchor href attribute — both of which can be exploited by appending a crafted payload to the wp-admin/admin.php URL path.
Published: 2026-05-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SponsorMe WordPress plugin contains a reflected Cross-Site Scripting vulnerability in which the PHP_SELF variable is reflected into a form action and an anchor href attribute without proper sanitization. An attacker can craft a malicious URL that appends a JavaScript payload to wp-admin/admin.php, causing that script to execute in the victim’s browser when the link is triggered or the form is submitted. The impact is arbitrary client-side script execution, potentially exposing sensitive data or session information to the attacker.

Affected Systems

All installations of the SponsorMe plugin for WordPress with versions up to and including 0.5.2 are affected. The vulnerability resides in the sponsorme.php file of the owencutajar repository.

Risk and Exploitability

With a CVSS score of 6.1 the issue is classified as moderate severity. EPSS is unavailable and the vulnerability is not listed in CISA's KEV catalog. Exploitation does not require authentication; it relies on a crafted URL that the victim must visit or click, making the risk moderate for sites that expose the wp-admin/admin.php path.

Generated by OpenCVE AI on May 20, 2026 at 03:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SponsorMe plugin to the latest released version, which removes the PHP_SELF reference and corrects the output escaping.
  • If an update cannot be performed immediately, temporarily deactivate the SponsorMe plugin to remove the vulnerable code path.
  • As a temporary manual mitigation, edit the plugin file to replace the PHP_SELF reference with a fixed script name and apply proper escaping (e.g., htmlspecialchars) to any dynamic content before rendering it in HTML.
  • Regularly check the vendor’s website or plugin repository for security updates and apply them promptly.

Generated by OpenCVE AI on May 20, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Owencutajar
Owencutajar sponsorme
Wordpress
Wordpress wordpress
Vendors & Products Owencutajar
Owencutajar sponsorme
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PHP_SELF value is reflected in two separate locations within the vulnerable function — a form action attribute and an anchor href attribute — both of which can be exploited by appending a crafted payload to the wp-admin/admin.php URL path.
Title SponsorMe <= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Owencutajar Sponsorme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T14:13:28.784Z

Reserved: 2026-05-14T18:44:24.518Z

Link: CVE-2026-8626

cve-icon Vulnrichment

Updated: 2026-05-20T14:13:24.617Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:40.837

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-8626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:25Z

Weaknesses