MEDIUM
owencutajar
CVE published 2026-05-20
CVE-2026-8626
The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF parameter in all versions up to and including 0.5.2. The vulnerability stems from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts. Successful exploitation requires tricking a user into clicking a malicious link. The PHP_SELF value [truncated]