Description
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-05-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary JavaScript into pages that the target user visits. Because the plugin outputs data based on the PHP_SELF variable without proper escaping, a malicious URL can contain user‑controlled script code that the browser will execute when the page is rendered. This can lead to defacement, credential theft, or further exploitation of the victim's browser context.

Affected Systems

WordPress sites running the NS Product icon badge plugin version 1.2.4 or earlier are affected. The plugin is distributed by nsthemes under the product name NS Product icon badge.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. The likely attack vector is via a crafted link or form that includes unsanitized PHP_SELF data; unauthenticated users can trigger the exploitation by visiting the link. An attacker with no credentials can therefore inject scripts that will execute in the context of any user who views the impacted page.

Generated by OpenCVE AI on May 27, 2026 at 07:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NS Product icon badge plugin to the latest available version that removes the PHP_SELF reference; if a newer release does not exist, consider disabling or uninstalling the plugin.
  • If an update is not feasible, restrict access to any plugin pages that use PHP_SELF to administrators only and replace any hard‑coded PHP_SELF usage with a secure alternative such as wp_get_referer or wp_verify_nonce.
  • Implement a strict Content Security Policy that blocks inline script execution, which mitigates the impact of any reflected XSS payloads that may still be delivered.

Generated by OpenCVE AI on May 27, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Nsthemes
Nsthemes ns Product Icon Badge
Wordpress
Wordpress wordpress
Vendors & Products Nsthemes
Nsthemes ns Product Icon Badge
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title NS Product icon badge <= 1.2.4 - Reflected Cross-Site Scripting via PHP_SELF
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Nsthemes Ns Product Icon Badge
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:32:53.989Z

Reserved: 2026-05-15T19:41:03.831Z

Link: CVE-2026-8707

cve-icon Vulnrichment

Updated: 2026-05-27T10:32:49.256Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:14.670

Modified: 2026-05-27T07:16:14.670

Link: CVE-2026-8707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:58Z

Weaknesses