CVE-2026-1647

Vulnerability

Overview The Comment Genius plugin for WordPress, in all versions up to and including 1.2.5, is vulnerable to Reflected Cross-Site Scripting through the $_SERVER['PHP_SELF'] parameter. The root cause is insufficient input sanitization and output escaping, allowing unsanitized user input to be reflected in server responses. This plugin has been closed as of March 5, 2026 due to a security issue [1].

Attack

Vector An unauthenticated attacker can exploit this vulnerability by crafting a malicious link that includes the PHP_SELF parameter with embedded JavaScript. Successful exploitation requires tricking a user into clicking the crafted link. The attack surface is broad because no authentication is needed, and the injected script executes within the context of the target user's session [1].

Impact

Successful exploitation allows an attacker to inject arbitrary web scripts into pages that execute when a victim performs a click action. The consequences can include session hijacking, credential theft, or defacement of the affected WordPress site. Because the vulnerability is reflected, the injected payload does not persist on the server [1].

Mitigation

The plugin has been closed and removed from the official WordPress repository. No patched version is available; users must uninstall and replace the plugin with an alternative. As of the publication date, there is no workaround for the vulnerability [1].