MEDIUM
lykich
CVE published 2026-05-20
CVE-2026-8627
The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts b [truncated]