CVE-2026-8707

Vulnerability

The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in all versions up to and including 1.2.4. The vulnerability exists because the plugin uses $_SERVER['PHP_SELF'] without proper input sanitization or output escaping in the file ns_addNewOptionsPage.php [1]. This allows an attacker to inject arbitrary JavaScript into the page when the PHP_SELF variable is reflected back to the user.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL that includes a payload in the PHP_SELF parameter. The attacker then tricks a user into clicking the link, for example via phishing or social engineering. No authentication or special privileges are required. The injected script executes in the context of the victim's browser session on the WordPress admin dashboard.

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies or credentials. The attack is reflected, meaning the payload is not stored on the server, but the impact is immediate upon the victim clicking the crafted link.

Mitigation

As of the publication date (2026-05-27), no patched version has been released. The vendor has not provided a fix for versions up to 1.2.4. Users should disable the plugin until a security update is available. As a workaround, administrators can apply input sanitization and output escaping to $_SERVER['PHP_SELF'] in the affected file. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.