TL;DR — A stored cross-site scripting vulnerability (CVE-2026-8883) in the “Global Body Mass Index Calculator” WordPress plugin (versions ≤ 1.2) allows an authenticated Contributor account to save malicious scripts that execute later in the browser of administrators or other users who view the stored content. Rated medium-ish (CVSS 6.5) but requiring contributor access and a privileged user to view the content, this bug can nonetheless be chained with other issues to produce serious compromise. Immediate mitigations are required: identify the plugin, remove or disable it if you cannot patch, restrict contributor privileges, search & clean stored content, and apply temporary server-side protections until a secure fix is deployed.

為什麼這很重要（通俗語言）

Stored XSS means malicious code is saved on your site and later served to other users. In this case:

• An account with Contributor privileges can submit input containing JavaScript or HTML payloads.
• The payload is stored in the database and later rendered in pages or admin screens viewed by higher‑privileged users (Editors, Administrators).
• When viewed, the browser executes the malicious script in the context of your site — enabling session theft, UI manipulation, privileged actions, or delivery of secondary payloads.

This vulnerability requires an authenticated Contributor (or similar capability) and typically an admin view to trigger. That requirement reduces remote risk but does not make the issue harmless — stored XSS persists and can be executed repeatedly against many targets.

快速事實表

• Affected plugin: Global Body Mass Index Calculator
• 受影響的版本：≤ 1.2
• 漏洞類別：儲存型跨站腳本 (XSS)
• 所需權限：貢獻者（已驗證）
• CVE: CVE-2026-8883
• Severity / score: CVSS 6.5 (medium-ish)
• Patch status: No official patch available at time of disclosure
• Disclosure date: 8 June 2026
• Research credited to: security researcher (publicly credited)

Risk assessment — what an attacker can do

Even though exploitation requires an authenticated Contributor, impacts include:

• Execution of arbitrary JavaScript in administrator browsers, allowing actions performed via the admin session (create users, change settings, inject content).
• Delivery of secondary payloads: webshells, miners, redirector scripts or persistent backdoors.
• Pivoting to other internal resources accessible from an admin browser.
• Automated abuse on sites that allow open registration or have many contributors, enabling mass exploitation.

立即緩解檢查清單

1. Identify installation:

   Go to Dashboard → Plugins → Installed Plugins and check for “Global Body Mass Index Calculator”. If installed and version ≤ 1.2, treat the plugin as vulnerable.

2. Deactivate if you cannot patch:

   Deactivating removes the attack surface until an official fixed version is released. If the plugin is essential, use the temporary mitigations below.

3. Restrict contributor-like capabilities:

   Suspend or remove untrusted contributor accounts. Audit accounts with capabilities such as edit_posts and consider granting a more restricted custom role for untrusted users.

4. 掃描可疑內容：

   Search posts, comments, form entries and plugin-managed content for

   查看我的訂單

   0

   小計

   稅金和運費在結帳時計算

   結帳