CVE-2026-8626

🗓️ 20 May 2026 01:25:49Reported by WordfenceType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 13 Views🌐 WEB

SponsorMe WordPress plugin has reflected XSS via PHP_SELF up to 0.5.2, exploitable via admin.php.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-8626	20 May 202601:25	–	attackerkb
Circl	CVE-2026-8626	20 May 202607:32	–	circl
CNNVD	WordPress plugin SponsorMe 跨站脚本漏洞	20 May 202600:00	–	cnnvd
Cvelist	CVE-2026-8626 SponsorMe <= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter	20 May 202601:25	–	cvelist
EUVD	EUVD-2026-31024	20 May 202601:25	–	euvd
NVD	CVE-2026-8626	20 May 202602:16	–	nvd
Patchstack	WordPress SponsorMe plugin <= 0.5.2 - Reflected Cross-Site Scripting vulnerability	25 May 202607:30	–	patchstack
Positive Technologies	PT-2026-42083	20 May 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-8626 SponsorMe <= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter	20 May 202601:25	–	vulnrichment

Vulners

Node

owencutajar sponsormeRange≤0.5.2wordpress

[
  {
    "vendor": "owencutajar",
    "product": "SponsorMe",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "0.5.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/sponsorme/trunk/sponsorme.php
plugins	www.plugins.trac.wordpress.org/browser/sponsorme/trunk/sponsorme.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/7df7f541-b8aa-46fa-bfca-b333beea27f9

Parameter	Position	Path	Description	CWE
PHP_SELF	path	wp-admin/admin.php	Reflected XSS via PHP_SELF in form action and anchor href reflected from the request, exploitable by crafting payload in the URL path.	CWE-79

20 May 2026 13:54Current

6Medium risk

Vulners AI Score6

CVSS 3.16.1

EPSS0.00089

SSVC

CWE-79