CVE-2026-8627

Name of the Vulnerable Software and Affected Versions Correct Prices versions prior to 1.1

Description The Correct Prices plugin for WordPress is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing an attacker to execute scripts in the victim's browser. The issue occurs within the correct prices page() function, which echoes the $ SERVER['PHP SELF'] variable into a form's action attribute without input sanitization or output escaping. Since $ SERVER['PHP SELF'] reflects path-info appended to the script URL, unauthenticated attackers can inject arbitrary markup and web scripts by tricking a user into clicking a specially crafted link.

Recommendations Update to a version later than 1.0. As a temporary workaround, restrict access to the correct prices page() function until a patch is applied.