CVE-2026-8628
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the PHP_SELF parameter in all versions up to and including 1.1.2 due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts if they can trick a user into performing an action such as clicking on a link.
Risk Assessment
This vulnerability allows unauthorized attackers to inject malicious scripts, potentially leading to user data theft or session hijacking. Organizations should be aware of the risks associated with using this plugin on their sites.
Recommendation
It is recommended to update the EntreDroppers plugin to the latest version that includes security fixes. Additionally, conducting a security audit of the application is advisable to minimize the risk of XSS attacks.
Original NVD description (English source)
The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The payload is delivered via attacker-controlled path-info in the URL (e.g., /wp-admin/admin.php/"><script>alert(0)</script>/?page=EntreDroppers.php), which PHP_SELF reflects directly into the form action attribute.

