Description
The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.
Published: 2026-05-20
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Correct Prices plugin for WordPress contains a reflected cross‑site scripting vulnerability that arises when the plugin echoes the $_SERVER['PHP_SELF'] value into a form action attribute without sanitization or escaping. Because PHP_SELF can contain attacker‑controlled path components, a malicious actor can terminate the attribute and inject arbitrary JavaScript or other markup. An unauthenticated user can trigger this by opening a crafted link in the vulnerable WordPress site, which may result in session hijacking, data theft, or phishing attacks, depending on the information available to the victim’s browser.

Affected Systems

WordPress sites running the Correct Prices plugin version 1.0 or earlier. The plugin is published by lykich:Correct Prices. Any installation that has not upgraded past version 1.0 is vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, and the absence of an EPSS rating suggests no known widespread exploitation yet. The vulnerability is not listed in the CISA KEV database, but the typical attack vector is through a web interface that requires a user to click a crafted link. Attackers do not need privileged access and can deliver the payload via any open link, making it reasonably easy to exploit in a social‑engineering context.

Generated by OpenCVE AI on May 20, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Correct Prices plugin to the latest release that removes the PHP_SELF reference or applies proper escaping.
  • If an update is not yet available, deactivate or uninstall the plugin to eliminate the reflected XSS vector.
  • For sites that must continue using the vulnerable version, replace occurrences of $_SERVER['PHP_SELF'] with a sanitized alternative such as esc_url( $_SERVER['REQUEST_URI'] ) or a hard‑coded script URL, ensuring all output is escaped.

Generated by OpenCVE AI on May 20, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Lykich
Lykich correct Prices
Wordpress
Wordpress wordpress
Vendors & Products Lykich
Lykich correct Prices
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.
Title Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Lykich Correct Prices
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T01:25:48.666Z

Reserved: 2026-05-14T18:45:14.185Z

Link: CVE-2026-8627

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T02:16:40.980

Modified: 2026-05-20T02:16:40.980

Link: CVE-2026-8627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:29Z

Weaknesses