CVE-2026-8624 etspring CVE debrief

Who should care

WordPress site administrators using the LJ comments import: reloaded plugin; security teams managing WordPress deployments; developers maintaining WordPress plugins that utilize PHP_SELF

Technical summary

The LJ comments import: reloaded WordPress plugin fails to sanitize the PHP_SELF superglobal before outputting it in HTML context. PHP_SELF incorporates the PATH_INFO component of the request URI, which is attacker-controllable. The plugin contains two separate echo statements of this unsanitized value within the same function, creating multiple injection points. An unauthenticated attacker can craft a URL with a malicious PATH_INFO segment containing JavaScript payloads; when a victim visits this URL, the script executes in their browser context. This is a classic reflected XSS pattern requiring social engineering for exploitation.

Defensive priority

medium

Recommended defensive actions

• Update the LJ comments import: reloaded plugin to a version newer than 0.97.1 if available, or consider disabling the plugin until a patch is released
• Implement Web Application Firewall (WAF) rules to filter malicious PATH_INFO payloads targeting PHP_SELF
• Review and sanitize all uses of PHP_SELF in custom WordPress plugin code, using esc_url() or similar output escaping functions
• Deploy Content Security Policy (CSP) headers to mitigate the impact of any successful XSS exploitation
• Monitor WordPress admin access logs for suspicious requests containing script tags or encoded payloads in URL paths

Evidence notes

The vulnerability is documented in the WordPress plugin repository source code at lines 129 and 161 of lj_comments_import.php, where PHP_SELF is echoed without proper sanitization. Wordfence's threat intelligence provides additional technical analysis. The CVE record and NVD entry confirm the CVSS vector and CWE-79 classification.

Official resources