TL;DR — A stored cross-site scripting vulnerability (CVE-2026-8883) in the “Global Body Mass Index Calculator” WordPress plugin (versions ≤ 1.2) allows an authenticated Contributor account to save malicious scripts that execute later in the browser of administrators or other users who view the stored content. Rated medium-ish (CVSS 6.5) but requiring contributor access and a privileged user to view the content, this bug can nonetheless be chained with other issues to produce serious compromise. Immediate mitigations are required: identify the plugin, remove or disable it if you cannot patch, restrict contributor privileges, search & clean stored content, and apply temporary server-side protections until a secure fix is deployed.

Pourquoi cela importe (langage simple)

Stored XSS means malicious code is saved on your site and later served to other users. In this case:

• An account with Contributor privileges can submit input containing JavaScript or HTML payloads.
• The payload is stored in the database and later rendered in pages or admin screens viewed by higher‑privileged users (Editors, Administrators).
• When viewed, the browser executes the malicious script in the context of your site — enabling session theft, UI manipulation, privileged actions, or delivery of secondary payloads.

This vulnerability requires an authenticated Contributor (or similar capability) and typically an admin view to trigger. That requirement reduces remote risk but does not make the issue harmless — stored XSS persists and can be executed repeatedly against many targets.

Fiche d'information rapide

• Affected plugin: Global Body Mass Index Calculator
• Versions affectées : ≤ 1.2
• Classe de vulnérabilité : Cross-Site Scripting (XSS) stocké
• Privilège requis : Contributeur (authentifié)
• CVE: CVE-2026-8883
• Severity / score: CVSS 6.5 (medium-ish)
• Patch status: No official patch available at time of disclosure
• Date de divulgation : 8 juin 2026
• Research credited to: security researcher (publicly credited)

Risk assessment — what an attacker can do

Even though exploitation requires an authenticated Contributor, impacts include:

• Execution of arbitrary JavaScript in administrator browsers, allowing actions performed via the admin session (create users, change settings, inject content).
• Delivery of secondary payloads: webshells, miners, redirector scripts or persistent backdoors.
• Pivoting to other internal resources accessible from an admin browser.
• Automated abuse on sites that allow open registration or have many contributors, enabling mass exploitation.

Liste de vérification de mitigation immédiate

1. Identify installation:

   Go to Dashboard → Plugins → Installed Plugins and check for “Global Body Mass Index Calculator”. If installed and version ≤ 1.2, treat the plugin as vulnerable.

2. Deactivate if you cannot patch:

   Deactivating removes the attack surface until an official fixed version is released. If the plugin is essential, use the temporary mitigations below.

3. Restrict contributor-like capabilities:

   Suspend or remove untrusted contributor accounts. Audit accounts with capabilities such as edit_posts and consider granting a more restricted custom role for untrusted users.

4. Scannez à la recherche de contenu suspect :

   Search posts, comments, form entries and plugin-managed content for

   Vérifiez ma commande

   0

   Sous-total

   Taxes et frais de port calculés à la caisse

   Passer à la caisse