PT-2026-42083 · WordPress · Sponsorme

Abdulsamad Yusuf

·

Published

2026-05-20

·

Updated

2026-05-28

·

CVE-2026-8626

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions SponsorMe versions prior to 0.5.3
Description Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. This occurs when a user is tricked into clicking a crafted link. The PHP SELF variable is reflected in a form action attribute and an anchor href attribute within the vulnerable function, which can be exploited by appending a payload to the 'wp-admin/admin.php' endpoint.
Recommendations Update to a version later than 0.5.2.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8626

Affected Products

Sponsorme