Yet Another bol.com Plugin <= 1.4 Reflected Cross-Site Scripting
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Reflected XSS in Yet Another bol.com Plugin <=1.4 due to unsanitized use of $_SERVER['PHP_SELF'] in yabp.php, allowing arbitrary script injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Yet Another bol.com Plugin <=1.4 due to unsanitized use of $_SERVER['PHP_SELF'] in yabp.php, allowing arbitrary script injection.
Vulnerability
The Yet Another bol.com Plugin for WordPress, versions up to and including 1.4, contains a reflected Cross-Site Scripting (XSS) vulnerability in the ~/yabp.php file. The plugin unsafely uses the $_SERVER["PHP_SELF"] value without sanitization in a sprintf() call [1], allowing attackers to inject arbitrary web scripts.
Exploitation
An attacker can craft a malicious URL where the path portion (reflected in $_SERVER["PHP_SELF"]) includes a JavaScript payload. No authentication is required; the victim must be logged into WordPress and click the crafted link.
Impact
Successful exploitation enables arbitrary JavaScript execution in the victim's browser, leading to cookie theft, session hijacking, or site defacement.
Mitigation
The plugin has been closed and removed from the WordPress plugin directory as of September 7, 2021, due to a security issue [2]. No patched version is available. Users should uninstall the plugin immediately.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.4
- Yet Another bol.com Plugin/Yet Another bol.com Pluginv5Range: 1.4
Patches
0yabpThis plugin has been removed from the WordPress.org directory on 2021-09-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
Root cause
"The plugin reflects the unsanitized $_SERVER["PHP_SELF"] value in the yabp.php file, enabling reflected cross-site scripting."
Attack vector
An attacker can craft a URL containing malicious JavaScript in the path portion that is reflected via `$_SERVER["PHP_SELF"]` in the `yabp.php` file. When a victim visits this crafted URL, the injected script executes in the context of the victim's browser session on the WordPress site. No authentication is required to trigger the reflected XSS.
Affected code
The vulnerability is in the `~/yabp.php` file of the Yet Another bol.com Plugin. The plugin reflects the `$_SERVER["PHP_SELF"]` value without sanitization, allowing an attacker to inject arbitrary web scripts into the page output.
What the fix does
The advisory does not include a patch diff. To remediate, the plugin should escape or validate the `$_SERVER["PHP_SELF"]` value before outputting it, or use a relative path that does not rely on user-controlled input. Without a published fix, users should upgrade to a patched version if one becomes available.
Preconditions
- inputThe attacker must trick a logged-in WordPress user (or any user) into clicking a crafted link.
- configThe plugin must be installed and active.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- plugins.trac.wordpress.org/browser/yabp/tags/1.4/yabp.phpmitrex_refsource_MISC
- www.wordfence.com/vulnerability-advisories/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.