CVE-2026-8628 - Vulnerability Details

Description

The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The payload is delivered via attacker-controlled path-info in the URL (e.g., /wp-admin/admin.php/"><script>alert(0)</script>/?page=EntreDroppers.php), which PHP_SELF reflects directly into the form action attribute.

Published: 2026-06-24

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The EntreDroppers WordPress plugin is vulnerable to reflected cross‑site scripting because the PHP_SELF variable is used without sanitization in the form action. An attacker who tricks a user into visiting a crafted URL can inject arbitrary JavaScript that the browser executes when the page loads. This flaw permits an unauthenticated attacker to run client‑side code with the user’s privileges, potentially stealing session cookies, defacing the site, or redirecting users to phishing pages. The weakness corresponds to CWE‑79.

Affected Systems

The impact applies to the owencutajar EntreDroppers plugin for WordPress, affecting all versions up to and including 1.1.2. Administrators of sites that have this plugin installed should verify the plugin version and consider removing it if it cannot be updated.

Risk and Exploitability

The vulnerability has a CVSS score of 6.1, indicating moderate severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been documented. Nonetheless, because the flaw is triggered by a user clicking a link and does not require special privileges, the likelihood of exploitation remains high in environments where the plugin is used and the affected sites are publicly reachable. Malicious URLinfo data that is reflected verbatim into the form action attribute can force the victim’s browser to execute the injected script.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

owencutajar

EntreDroppers

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the EntreDroppers plugin to a version newer than 1.1.2 that removes the PHP_SELF usage or otherwise sanitizes input.
If an update is not available, deactivate and delete the plugin to eliminate the vulnerable code path.
As a temporary workaround, configure the web server to strip or encode PHP_SELF in the request path, or add strict CSP headers that block execution of inline scripts and external script sources.

Generated by OpenCVE AI on June 24, 2026 at 09:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00205.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/entredropper/trunk/EntreDroppers.php#L223
https://www.wordfence.com/threat-intel/vulnerabilities/id/7fe4e182-5d0b-41da-8402-8b7de0b2c2e7?source=cve

History

Wed, 24 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The payload is delivered via attacker-controlled path-info in the URL (e.g., /wp-admin/admin.php/"><script>alert(0)</script>/?page=EntreDroppers.php), which PHP_SELF reflects directly into the form action attribute.
Title		EntreDroppers <= 1.1.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/entredropper/trunk/EntreDroppers.php#L223 https://www.wordfence.com/threat-intel/vulnerabilities/id/7fe4e182-5d0b-41da-8402-8b7de0b2c2e7?source=cve
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-24T05:33:26.965Z

Updated: 2026-06-24T05:33:26.965Z

Reserved: 2026-05-14T18:46:06.873Z

Link: CVE-2026-8628

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object